Quote mark breaks http.cookies, Cookie.py processing

[ArturSmt]

BPO	27674
Nosy	@vadmium

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2016-08-03.12:22:28.653>
labels = ['type-bug', 'library']
title = 'Quote mark breaks http.cookies, Cookie.py processing'
updated_at = <Date 2020-09-03.09:29:56.938>
user = 'https://bugs.python.org/ArturSmt'

bugs.python.org fields:

activity = <Date 2020-09-03.09:29:56.938>
actor = 'brayer.benoit'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2016-08-03.12:22:28.653>
creator = 'Artur Sm\xc4\x99t'
dependencies = []
files = []
hgrepos = []
issue_num = 27674
keywords = []
message_count = 4.0
messages = ['271901', '271903', '271934', '376289']
nosy_count = 3.0
nosy_names = ['martin.panter', 'Artur Sm\xc4\x99t', 'brayer.benoit']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue27674'
versions = ['Python 2.7', 'Python 3.5']

[ArturSmt]

The problem is similar to https://bugs.python.org/issue22931 with square brackets in cookie values.
Incorrect value is serialized JSON in this case, for example:

>>> from Cookie import SimpleCookie
>>> cookie = SimpleCookie()
>>> cookie.load('a=b; c={"somekey":"value"}; d=e, f=g, some=other')
>>> cookie.output()
'Set-Cookie: a=b'
>>> 

From my tests I figured out that quote mark (") is causing problems.

In fact, according to HTTP specification, cookies can't be JSON objects, but I think that python library shouldn't silently allow incorrect values. Probably incorrect cookies should be skipped, or some exception should be thrown there.

[ArturSmt]

Problem exists in Chrome for sure (it sends cookies as they are - set with JS for example).

I have two another examples that can make this issue more clear:

>>> from Cookie import SimpleCookie
>>> c = SimpleCookie()
>>> c.load('a=b; c=c"c; d=d')
>>> c.output()
'Set-Cookie: a=b'

Also using escaping and quotes (cookie version 1) works:
>>> c = SimpleCookie()
>>> c.load('a=b; c="c\\"c"; d=d')
>>> c.output()
'Set-Cookie: a=b\r\nSet-Cookie: c="c\\"c"\r\nSet-Cookie: d=d'
>>>

[vadmium]

If you want to silently skip over invalid cookies by looking for a semicolon, see bpo-25228. For that, I think we need someone to add some more tests and confirm it doesn’t open a security hole.

Also maybe see bpo-22983 and bpo-17340.

[brayerbenoit]

Please find what Django's devs have done to parse cookies:

django/django@93a135d

I hope this might help to find a solution.

[jimmbelll]

Lib/http/cookies.py line 436:

Add double-quote to _LegalValueChars

_LegalValueChars = _LegalKeyChars + r'\[\]' + '"' # only double-quote added

And now it accepts this cookie:

g_state={"i_l":0}