[New-bugs-announce] [issue19869] BaseCookie does not complain if a non RFC compliant cookie header was given
Florian Pilz
report at bugs.python.org
Tue Dec 3 08:23:01 CET 2013
New submission from Florian Pilz:
BaseCookie should give an informative error, if a non RFC compliant header was given. The problem was, that we thought several cookies are allowed in one header in a cookie *response* header. However, this is only allowed in cookie *request* headers.
In those cases the output of BaseCookie looks broken, which caused a lot of confusion, since a standard library should not have so many flaws.
Example with parsing a response header with several cookies separated by comma (not allowed by RFC):
http.cookies.BaseCookie('foo=bar, oof=rab; httponly, bar=baz').output()
'Set-Cookie: bar=baz\r\nSet-Cookie: foo=bar,\r\nSet-Cookie: oof=rab'
Flaws:
* comma after 'foo=bar' in output
* the httponly flag was omitted (it would show up with a semi-colon after it, i.e. 'oof=rab; httponly;')
* input and output style are different, i.e. several cookies in one line were transformed to several cookies in several lines
I think the best solution is to fail early and hard, if there are several cookies in one header. Maybe some problems should be fixed anyway (trailing comma, different output style).
----------
components: Library (Lib)
messages: 205077
nosy: florianpilz
priority: normal
severity: normal
status: open
title: BaseCookie does not complain if a non RFC compliant cookie header was given
type: behavior
versions: Python 3.3, Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue19869>
_______________________________________
More information about the New-bugs-announce
mailing list