Issue parsing valid cookie

[dlamotte]

BPO	23341
Nosy	@bitdancer
Superseder	bpo-22931: cookies with square brackets in value

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-01-28.20:17:22.715>
created_at = <Date 2015-01-28.19:26:05.135>
labels = []
title = 'Issue parsing valid cookie'
updated_at = <Date 2015-01-28.20:23:56.703>
user = 'https://bugs.python.org/dlamotte'

bugs.python.org fields:

activity = <Date 2015-01-28.20:23:56.703>
actor = 'berker.peksag'
assignee = 'none'
closed = True
closed_date = <Date 2015-01-28.20:17:22.715>
closer = 'dlamotte'
components = []
creation = <Date 2015-01-28.19:26:05.135>
creator = 'dlamotte'
dependencies = []
files = []
hgrepos = []
issue_num = 23341
keywords = []
message_count = 3.0
messages = ['234908', '234909', '234912']
nosy_count = 2.0
nosy_names = ['r.david.murray', 'dlamotte']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '22931'
type = None
url = 'https://bugs.python.org/issue23341'
versions = ['Python 2.7']

[dlamotte]

I recently discovered that a valid cookie (by the RFC) is not parse-able by the Cookie library in python's standard library.

  import Cookie
  c = Cookie.SimpleCookie('key=[ab]cd[ef]')
  print c.keys() # yields []

When quoted, it works fine:

  c = Cookie.SimpleCookie('key="[ab]cd[ef]"')
  print c.keys() # yields ['key']

I noticed the issue after upgrading to Python 2.7.9 (was previously at 2.7.2). The issue cropped up in our internal Django Web site when another internal site used a cookie in a similar format to the above and due to the sort order of the cookies, it appeared before the sessionid cookie we use with Django. Effectively, parsing of the cookie header stops and the sessionid is never read which ... to Django ... means you are not logged in. So, attempt to login, no errors, redirect to new page after successful login and you still appear not logged in.

References:

cookie-value in http://tools.ietf.org/html/rfc6265#section-4.1
token in http://tools.ietf.org/html/rfc2616#section-2.2

cookie-pair = cookie-name "=" cookie-value
cookie-name = token
...

The code correctly disallows brackets [ and ] in cookie-name's, but ends up disallowing them in cookie-value's as well which is not RFC Compliant.

We noticed this issue in Chrome but not Firefox. Our guess is that Firefox quotes its cookie-values which the code handles just fine.

[bitdancer]

This may be a duplicate of bpo-22931. If so please add your comments there and close this one.

[dlamotte]

Yes, this is a duplicate of that bug. Sorry.