New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue parsing valid cookie #67530
Comments
I recently discovered that a valid cookie (by the RFC) is not parse-able by the Cookie library in python's standard library. import Cookie
c = Cookie.SimpleCookie('key=[ab]cd[ef]')
print c.keys() # yields [] When quoted, it works fine: c = Cookie.SimpleCookie('key="[ab]cd[ef]"')
print c.keys() # yields ['key'] I noticed the issue after upgrading to Python 2.7.9 (was previously at 2.7.2). The issue cropped up in our internal Django Web site when another internal site used a cookie in a similar format to the above and due to the sort order of the cookies, it appeared before the sessionid cookie we use with Django. Effectively, parsing of the cookie header stops and the sessionid is never read which ... to Django ... means you are not logged in. So, attempt to login, no errors, redirect to new page after successful login and you still appear not logged in. References: cookie-value in http://tools.ietf.org/html/rfc6265#section-4.1 cookie-pair = cookie-name "=" cookie-value The code correctly disallows brackets [ and ] in cookie-name's, but ends up disallowing them in cookie-value's as well which is not RFC Compliant. We noticed this issue in Chrome but not Firefox. Our guess is that Firefox quotes its cookie-values which the code handles just fine. |
This may be a duplicate of bpo-22931. If so please add your comments there and close this one. |
Yes, this is a duplicate of that bug. Sorry. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: