New submission from Dan LaMotte:
I recently discovered that a valid cookie (by the RFC) is not parse-able by the
Cookie library in python's standard library.
import Cookie
c = Cookie.SimpleCookie('key=[ab]cd[ef]')
print c.keys() # yields []
When quoted, it works fine:
c = Cookie.SimpleCookie('key="[ab]cd[ef]"')
print c.keys() # yields ['key']
I noticed the issue after upgrading to Python 2.7.9 (was previously at 2.7.2).
The issue cropped up in our internal Django Web site when another internal site
used a cookie in a similar format to the above and due to the sort order of the
cookies, it appeared before the sessionid cookie we use with Django.
Effectively, parsing of the cookie header stops and the sessionid is never read
which ... to Django ... means you are not logged in. So, attempt to login, no
errors, redirect to new page after successful login and you still appear not
logged in.
References:
cookie-value in http://tools.ietf.org/html/rfc6265#section-4.1
token in http://tools.ietf.org/html/rfc2616#section-2.2
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
...
The code correctly disallows brackets [ and ] in cookie-name's, but ends up
disallowing them in cookie-value's as well which is not RFC Compliant.
We noticed this issue in Chrome but not Firefox. Our guess is that Firefox
quotes its cookie-values which the code handles just fine.
--
messages: 234908
nosy: dlamotte
priority: normal
severity: normal
status: open
title: Issue parsing valid cookie
versions: Python 2.7
___
Python tracker
<http://bugs.python.org/issue23341>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
