[New-bugs-announce] [issue23341] Issue parsing valid cookie
Dan LaMotte
report at bugs.python.org
Wed Jan 28 20:26:05 CET 2015
New submission from Dan LaMotte:
I recently discovered that a valid cookie (by the RFC) is not parse-able by the Cookie library in python's standard library.
import Cookie
c = Cookie.SimpleCookie('key=[ab]cd[ef]')
print c.keys() # yields []
When quoted, it works fine:
c = Cookie.SimpleCookie('key="[ab]cd[ef]"')
print c.keys() # yields ['key']
I noticed the issue after upgrading to Python 2.7.9 (was previously at 2.7.2). The issue cropped up in our internal Django Web site when another internal site used a cookie in a similar format to the above and due to the sort order of the cookies, it appeared before the sessionid cookie we use with Django. Effectively, parsing of the cookie header stops and the sessionid is never read which ... to Django ... means you are not logged in. So, attempt to login, no errors, redirect to new page after successful login and you still appear not logged in.
References:
cookie-value in http://tools.ietf.org/html/rfc6265#section-4.1
token in http://tools.ietf.org/html/rfc2616#section-2.2
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
...
The code correctly disallows brackets [ and ] in cookie-name's, but ends up disallowing them in cookie-value's as well which is not RFC Compliant.
We noticed this issue in Chrome but not Firefox. Our guess is that Firefox quotes its cookie-values which the code handles just fine.
----------
messages: 234908
nosy: dlamotte
priority: normal
severity: normal
status: open
title: Issue parsing valid cookie
versions: Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23341>
_______________________________________
More information about the New-bugs-announce
mailing list