[New-bugs-announce] [issue37277] http.cookies.SimpleCookie does not parse attribute without value (rfc2109)

Konstantin Enchant report at bugs.python.org
Fri Jun 14 04:41:30 EDT 2019


New submission from Konstantin Enchant <sirkonst at gmail.com>:

Very strange case but https://www.ietf.org/rfc/rfc2109.txt (see 4.1  Syntax:  General) defines that "= value" is optional for attribute-value pairs for header Cookie.

And SimpleCookie fully broken if meets attribute without value, example:

```
>>> from http.cookies import SimpleCookie

# all ok
>>> SimpleCookie('a=1')
<SimpleCookie: a='1'>

# parse fully broken and does not parse not only `test` but `a` too
>>> SimpleCookie('test; a=1')
<SimpleCookie: >

# or
>>> SimpleCookie('a=1; test; b=2')
<SimpleCookie: >
```

I think the problem hasn't been noticed for so long because people usually use frameworks, for example, Django parse it correctly because has workaround - https://github.com/django/django/blob/master/django/http/cookie.py#L20.

Also Go Lang handle that case too, example - https://play.golang.org/p/y0eFXVq6byK

(How can you see Go Lang and Django has different behavior for that case and I think Go Lang more better do it.)

The problem seems minor not but aiohttp use SimpleCookie as is (https://github.com/aio-libs/aiohttp/blob/3.5/aiohttp/web_request.py#L482) and if request has that strange cookie value mixed with other normal values - all cookies can not be parsed by aiohttp (just request.cookies is empty). 

In real world in my web application (based on aiohttp) it fully break authentication for request based on cookies.

I hope that will be fixed for SimpleCookie without implement workaround for aiohttp like Django.

----------
messages: 345563
nosy: sirkonst
priority: normal
severity: normal
status: open
title: http.cookies.SimpleCookie does not parse attribute without value (rfc2109)
versions: Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37277>
_______________________________________


More information about the New-bugs-announce mailing list