[New-bugs-announce] [issue16611] multiple problems with Cookie.py

John Dennis report at bugs.python.org
Tue Dec 4 21:50:24 CET 2012

New submission from John Dennis:

There are multiple problems with Cookie.py. Some of the issues are covered in http://bugs.python.org/issue3073 which is still open (after 4.5 years).

In all honesty the API and the implementation are not great perhaps the best thing would be to remove it from the core libraries, however you can't remove a core library. There is cookielib.py is which is pretty good however cookielib.py is tightly coupled to urllib2 and if you're not using urllib2 you can't use cookielib.py so you're stuck using Cookie.py which means the best thing is to get the bugs in Cookie.py fixed.

Of the problems illustrated in the attached unittest (test_cookie.py) the absolute must fix issues are the inability to parse an Expires attribute and the impossibility of testing the HttpOnly & Secure flags for a truth value after parsing. Those are critical because it makes using Cookie.py impossible. The other errors would be nice to get fixed, but not as critical. Next in importance would be respecting the truth value when setting the HttpOnly & Secure flags. Failing to detect an improperly formatted cookie when parsing is the least important because hopefully you won't have improperly formatted cookies (unfortunately a weak assumption)

Note: the HttpOnly and Secure issues are symmetrical, they both suffer the same problems because they're both boolean flags whose True value is asserted by the flag's presence and it's False value by it's absence.
Cookie parsing problems:

* Cannot read a properly formatted Expires attribute (see also issue 3073)

* Impossible to determine state of HttpOnly boolean flag after parsing

* Impossible to determine state of Secure boolean flag after parsing

* Fails to raise any errors when parsing invalid cookie strings

Cookie creation/initialization problems:

* Setting HttpOnly flag to a value which evaluates to False results in the flag being set to True (there is no check whatsoever on the value).

* Setting Secure flag to a value which evaluates to False results in the flag being set to True (there is no check whatsoever on the value).

Attached is a unittest illustrating the problems (more details are in the unittest).

python test_cookie.py
Ran 13 tests in 0.003s

FAILED (failures=9)

components: Library (Lib)
files: test_cookie.py
messages: 176957
nosy: jdennis
priority: normal
severity: normal
status: open
title: multiple problems with Cookie.py
versions: Python 2.7
Added file: http://bugs.python.org/file28208/test_cookie.py

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list