Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-23930: Add support to parse comma-separated cookies #10494

Closed
wants to merge 3 commits into from
Closed

bpo-23930: Add support to parse comma-separated cookies #10494

wants to merge 3 commits into from

Conversation

remilapeyre
Copy link
Contributor

@remilapeyre remilapeyre commented Nov 12, 2018
edited by bedevere-bot
Loading

Some user-agents do not respect RFC 6265 and sends comma-separated
cookies like "a=b,z=zz" when it should be "a=b; z=zz". Until now,
cookies.SimpleCookie would parse this as a unique cookie "a" with value
"b,z=zz".

A comma in the cookie value is explicitly prohibited by RFC 6265 (https://tools.ietf.org/html/rfc6265#section-4.1.1).
If a comma happens to be in the value, it should have been base 64
encoded:

cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

When this happens since the cookie string is invalid and no comma should
be present, a better default is to consider it a separator and to parse
the string as two cookies "a=b" and "z=zz".

https://bugs.python.org/issue23930

Add support to parse comma-separated cookies
199fa72 
Some user-agents do not respect RFC 6265 and sends comma-separated
cookies like "a=b,z=zz" when it should be "a=b; z=zz". Until now,
cookies.SimpleCookie would parse this as a unique cookie "a" with value
"b,z=zz".

A comma in the cookie value is explicitly prohibited by RFC 6265 (https://tools.ietf.org/html/rfc6265#section-4.1.1).
If a comma happens to be in the value, it should have been base 64
encoded:

    cookie-pair       = cookie-name "=" cookie-value
    cookie-name       = token
    cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
    cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

When this happens since the cookie string is invalid and no comma should
be present, a better default is to consider it a separator and to parse
the string as two cookies "a=b" and "z=zz".
@csabella
Copy link
Contributor

This was rejected by @vadmium on the bug tracker and had no further discussion, so I'm going to close this PR. Thank you.

@csabella csabella closed this Dec 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asvetlov asvetlov asvetlov left review comments

@tirkarthi tirkarthi tirkarthi left review comments

Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@remilapeyre @csabella @asvetlov @tirkarthi @the-knights-who-say-ni @bedevere-bot