New submission from Konstantin Enchant <sirko...@gmail.com>:
Very strange case but https://www.ietf.org/rfc/rfc2109.txt (see 4.1 Syntax: General) defines that "= value" is optional for attribute-value pairs for header Cookie. And SimpleCookie fully broken if meets attribute without value, example: ``` >>> from http.cookies import SimpleCookie # all ok >>> SimpleCookie('a=1') <SimpleCookie: a='1'> # parse fully broken and does not parse not only `test` but `a` too >>> SimpleCookie('test; a=1') <SimpleCookie: > # or >>> SimpleCookie('a=1; test; b=2') <SimpleCookie: > ``` I think the problem hasn't been noticed for so long because people usually use frameworks, for example, Django parse it correctly because has workaround - https://github.com/django/django/blob/master/django/http/cookie.py#L20. Also Go Lang handle that case too, example - https://play.golang.org/p/y0eFXVq6byK (How can you see Go Lang and Django has different behavior for that case and I think Go Lang more better do it.) The problem seems minor not but aiohttp use SimpleCookie as is (https://github.com/aio-libs/aiohttp/blob/3.5/aiohttp/web_request.py#L482) and if request has that strange cookie value mixed with other normal values - all cookies can not be parsed by aiohttp (just request.cookies is empty). In real world in my web application (based on aiohttp) it fully break authentication for request based on cookies. I hope that will be fixed for SimpleCookie without implement workaround for aiohttp like Django. ---------- messages: 345563 nosy: sirkonst priority: normal severity: normal status: open title: http.cookies.SimpleCookie does not parse attribute without value (rfc2109) versions: Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37277> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
