[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly
Rémi Lapeyre
report at bugs.python.org
Sat Nov 10 10:27:32 EST 2018
Rémi Lapeyre <remi.lapeyre at henki.fr> added the comment:
This is not a valid cookie string and I think neither Django nor Nginx would understand this cookie correctly.
On the other hand, per RFC 6265 the comma is a forbidden character in a cookie value (https://tools.ietf.org/html/rfc6265#section-4.1.1):
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
so there is no official way to parse the given string (when a comma is present in the value, the cookie should be encoded as base 64).
Since this is not a valid cookie string anyway, I think the solution proposed by Kyle is appropriate.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue23930>
_______________________________________
More information about the Python-bugs-list
mailing list