[issue2193] Cookie Colon Name Bug

Eyal Lewisohn added the comment: just wanted to note that I agree with BM's comment and that I had to change LegalChars myself to include the slash '/' in order for my application to work properly. -- nosy: +Eyal.Lewisohn ___ Python tracker

[issue2193] Cookie Colon Name Bug

Changes by Senthil Kumaran : -- resolution: -> fixed stage: test needed -> committed/rejected status: open -> closed ___ Python tracker ___ __

[issue2193] Cookie Colon Name Bug

Roundup Robot added the comment: New changeset d3b0845a9253 by Senthil Kumaran in branch '3.2': issue2193 - Update 3.2 docs about legal characters allowed in Cookie name http://hg.python.org/cpython/rev/d3b0845a9253 New changeset 8cae3ee7f691 by Senthil Kumaran in branch 'default': issue2193 -

[issue2193] Cookie Colon Name Bug

Senthil Kumaran added the comment: I tested with apache to set ":" in names and then verified the behavior in browsers and it looks like it fine to allow ":" as legal character in cookie name ( though RFC originally does say that). My guess is previously it could have been thought that ":" mi

[issue2193] Cookie Colon Name Bug

Roundup Robot added the comment: New changeset 57ec2e6cd70a by Senthil Kumaran in branch 'default': Fix Issue2193 - Allow ":" character in Cookie NAME values http://hg.python.org/cpython/rev/57ec2e6cd70a -- nosy: +python-dev ___ Python tracker

[issue2193] Cookie Colon Name Bug

Senthil Kumaran added the comment: I tested setting cookies with ":" in the cookie name in both firefox and google-chrome. They both seem to allow and store the cookie with ":" in them. Firefox sent a request header like this: Set-Cookie test:value=solution:is:he the cookie with name con

[issue2193] Cookie Colon Name Bug

Serhiy Storchaka added the comment: Ping. -- nosy: +storchaka ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: h

[issue2193] Cookie Colon Name Bug

R. David Murray added the comment: I'm flat out right now on other projects. But if no one else gets around to doing a final review and commit I should be able to get to it by the end of October. If I don't, please ping me by posting here again. -- _

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: David, Thanks again for the time on this. Can I push to get the patches included, or is there work that still needs to be done on the patches now that the idea is accepted in principle? I did experiment with a few approaches to implement, and it seemed like the

[issue2193] Cookie Colon Name Bug

R. David Murray added the comment: Well, it's been a while since I looked at the cookie code, and I didn't review it when I reviewed your patch. But some time after I hit submit on my message the issue about some stuff getting ignored anyway occurred to me. So given that we are *already* in

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: @ David Murray: Thanks for taking the time to look at this - can I trouble you to keep going and read my response? Thanks. You wrote: > IMO the thing that needs to be fixed here is that receiving an invalid cookie > makes it difficult to receive the valid coo

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: I had a quick look, and there are these relevant bits: << There are two audiences for this specification: developers of cookie-generating servers and developers of cookie-consuming user agents. >> And: << To maximize interoperability with user agents, servers sh

[issue2193] Cookie Colon Name Bug

R. David Murray added the comment: Thanks for taking a crack at this. IMO the thing that needs to be fixed here is that receiving an invalid cookie makes it difficult to receive the valid cookies. I'd love to accept your patch, but "silently ignore" sounds like a bad idea and is something w

[issue2193] Cookie Colon Name Bug

karl added the comment: @Luke did you have the opportunity to look at http://greenbytes.de/tech/webdav/rfc6265.html If there is something which doesn't match reality in that document that would be cool to have feedback about it. -- ___ Python tr

[issue2193] Cookie Colon Name Bug

Changes by Luke Plant : Removed file: http://bugs.python.org/file22514/issue2193_patch_python27.diff ___ Python tracker ___ ___ Python-bugs-lis

[issue2193] Cookie Colon Name Bug

Changes by Luke Plant : Removed file: http://bugs.python.org/file22513/issue2193_patch_trunk.diff ___ Python tracker ___ ___ Python-bugs-list m

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: Same against Python 2.7 -- Added file: http://bugs.python.org/file22516/issue2193_patch_2_python27.diff ___ Python tracker ___ _

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: Found a bug with patch - this supersedes old one. -- Added file: http://bugs.python.org/file22515/issue2193_patch_2_trunk.diff ___ Python tracker __

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: Same patch backported to python 2.7 branch -- Added file: http://bugs.python.org/file22514/issue2193_patch_python27.diff ___ Python tracker ___

[issue2193] Cookie Colon Name Bug

Luke Plant added the comment: First, I agree with others who say that RFCs are basically irrelevant for cookies. For Django we've discovered this in various ways e.g. issue 9824 - http://bugs.python.org/issue9824 - which has now been applied. We have also had to work around the stdlib behavio

[issue2193] Cookie Colon Name Bug

Changes by Terry J. Reedy : -- versions: +Python 3.3 -Python 3.1 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue2193] Cookie Colon Name Bug

Changes by Carsten Klein : -- nosy: +carsten.klein -carsten.kl...@axn-software.de ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue2193] Cookie Colon Name Bug

Changes by Ezio Melotti : -- nosy: -carsten.klein ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: Perhaps the best solution would be for the Python cookie module to gracefully adapt to servers not quoting cookie values as is required by the RFCs and make these quoted-strings instead? -- ___ Python tracker

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: Ups forgot to also mention the production rule for token, which is defined in the HTTP RFC RFC2616: token = 1* separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" |

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: Guess you are right... I did overlook the quoted-string reference in the RFC: av-pair = attr ["=" value]; optional value attr= token value = word word= token | quoted-string

[issue2193] Cookie Colon Name Bug

BM added the comment: To Carsten Klein: It would be great if you turn your eyes on and try to read more carefully before posting something here. NAME=VALUE NAME is the cookie’s name, and VALUE is its value. Thus the header Set-Cookie: id=waldo sets a cookie with

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: Besides that, BM is wrong in the assumption that *who ever he is* Davi M. Kristol states that the colon is a valid character. There is no such notion in the article. In fact, DMK repeats the definition found in the original RFC on cookies, which also was referr

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: if you'd take a close look at the following lines accepted as part of the patch for stripping out unwanted/non standard cookies over trac: +try: +old_set(key, real_value, coded_value) +except CookieError: +

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: I agree with And Clover that Carsten Klein's comments in #msg127366 are not correct, for the reason that And stated. Also, Carsten repeats again the idea that the trac issue is about the trac server failing to generate appropriate cookies -- but that issue was in

[issue2193] Cookie Colon Name Bug

karl added the comment: @aclover see my comment http://bugs.python.org/issue2193#msg125423 Adam Barth is working for Google on Chrome. The RFC being written is made in cooperation with other browser developers. If you have comments about this RFC you are welcome to add comment on freenode at

[issue2193] Cookie Colon Name Bug

And Clover added the comment: @carsten.klein: there is no such thing as an “original RFC”. The RFCs that have been produced on the subject of cookies, 2109 and 2965, were drawn up long after user-agents implemented cookies. Their attempts to clean up the warts of cookies and implement new fea

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: One more: if you look closer at the accepted patch by CMLENZ over @ t.e.o., you will find: if self.req.headers_in.has_key('Cookie'): -self.incookie.load(self.req.headers_in['Cookie']) +#self.incookie.load(self.req.headers_in['C

[issue2193] Cookie Colon Name Bug

Carsten Klein added the comment: Personally I believe that this is WONTFIX. Why? Because, the original RFC states that the colon is part of the unwanted characters, regardless of whether Perl or other similar implementations ignore the standard. Besides that, and most important: The cookies

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: Yes, interoperability is good. Do you have a specific concern about the change that I proposed? If not, and you're instead just trying to ensure conformance, by all means read the draft specification that you pointed out and look for reasons why my suggested ch

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: Yes, interoperability is good. Do you have a specific concern about the change that I proposed? If not, and you're instead just trying to ensure conformance, by all means read the draft specification that you pointed out and look for reasons why my suggested ch

[issue2193] Cookie Colon Name Bug

karl added the comment: agreed. :) Then my question about parsing rules for libraries. Is interoperability a plus here. -- ___ Python tracker ___ __

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: Again, I don't think this is relevant, because the bug is about servers parsing Cookie: headers. Note that that string (the value of the Cookie: header) may be generated by a different server than the server that parses it (see the trac example mentioned in the

[issue2193] Cookie Colon Name Bug

karl added the comment: John: Ah sorry, if I misunderstood. The bug seems to say that it is about the Cookie Name and legal chars for this cookie name. What I was trying to say is that the processing of the Cookie Name is different depending if you are a client or a server *and* that there is

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: karl: I'm not clear precisely what it is that you want to draw our attention to. Note this bug is about parsing of Cookie headers by servers, not production of Set-Cookie headers by servers. -- ___ Python tracker

[issue2193] Cookie Colon Name Bug

karl added the comment: Ah the server is back the rules for the User Agents are defined here http://tools.ietf.org/html/draft-ietf-httpstate-cookie#section-5 -- ___ Python tracker _

[issue2193] Cookie Colon Name Bug

karl added the comment: The rules for parsing and setting the cookies are different. Server should always produce strict cookies only. So the production rules are to be done accordingly to the specification. Adam Barth is working right now on an update of the "HTTP State Management Mechanis

[issue2193] Cookie Colon Name Bug

R. David Murray added the comment: Seems like this really needs a strict and a lax mode. Perhaps a BrowserCookie class that implements the relaxed rules? That would make this a feature request, though, and so nothing would happen until 3.3, which would be unfortunate. It is certainly possib

[issue2193] Cookie Colon Name Bug

And Clover added the comment: The various attempts by RFCs to codify HTTP cookies are useless and bear no resemblance to what browsers actually do. In the real world, every byte in the range 0x20-0x7E is allowed, except for the semicolon, the equals (in names), and in Opera, in some places, t

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: dstanek> Would it be better to file bugs against buggy implementations instead of changing Python's implementation to be more lenient? No. Another app running on the same domain that knows nothing about RFC 2109 (and why should it?) shouldn't break your Cookie.p

[issue2193] Cookie Colon Name Bug

David Stanek added the comment: My Java may be a bit rusty, but it seems that it would filter out the colon. tspecials contains a colon and thus having a colon in the cookie name would make in invalid. I glanced at the Perl code and couldn't find where it filtered out any characters. Would

[issue2193] Cookie Colon Name Bug

Georg Brandl added the comment: I'll have a look. -- assignee: akuchling -> georg.brandl nosy: +georg.brandl priority: normal -> critical ___ Python tracker ___ _

[issue2193] Cookie Colon Name Bug

John J Lee added the comment: Looks like a bug. Here's the trac bug that this caused -- trac fixed their bug by working around this bug in a really ugly way: http://trac.edgewall.org/ticket/2256 It would be nice to notify the trac developers if/when this is fixed. This bug is probably not s

[issue2193] Cookie Colon Name Bug

Mark Lawrence added the comment: Is this a bug or isn't it, so should it be behaviour or feature request or what? -- nosy: +BreamoreBoy versions: +Python 2.7, Python 3.1, Python 3.2 -Python 2.6 ___ Python tracker _

[issue2193] Cookie Colon Name Bug

Changes by Daniel Diniz : -- nosy: +jjlee stage: -> test needed versions: -Python 2.4, Python 2.5 ___ Python tracker ___ ___ Python-b

[issue2193] Cookie Colon Name Bug

Changes by Sean Reifschneider <[EMAIL PROTECTED]>: -- assignee: -> akuchling nosy: +akuchling priority: -> normal __ Tracker <[EMAIL PROTECTED]> __ __

[issue2193] Cookie Colon Name Bug

BM added the comment: Well, as D.M.Kristol says: there are no any standard for this particular topic. And RFC is not any standard but a request for comments... Personally I've been added a colon in Cookie.py for let Trac and other Python-based software stop crashing, because such sort of cooki

[issue2193] Cookie Colon Name Bug

Changes by Jerry Seutter: -- type: -> behavior __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue2193] Cookie Colon Name Bug

Jerry Seutter added the comment: Heh, I think I should not have gotten involved in this bug. :) I have a few comments: In response to 2.: David M. Kristol in that article is referring to the original Netscape cookie implementation which is somewhat different from what is set out in the RFC's.

[issue2193] Cookie Colon Name Bug

BM added the comment: OK, I see and agree there are no actually that standard that we can call as a standard. But let me try to put in the other way again: 1. This documentation refers to the same RFC2109: http://docs.python.org/lib/module-Cookie.html But the RFC is slightly older than next Da

[issue2193] Cookie Colon Name Bug

Jerry Seutter added the comment: Hm. Your bug doesn't agree with my interpretation of the RFC's. RFC2109 section 4.1 states that the the cookie name (attr) is of type "token", which in RFC2068 section 2.2 is defined as any chars excluding control characters and special characters. RFC2068 list

[issue2193] Cookie Colon Name Bug

New submission from BM: According to David M. Kristol, only comma, space and semi-colon are forbidden in the cookie Name. However, Python's Cookie.py rejects a colon too. At the same time, Java Cookie in the servlet implementation allows a colon and Perl too. The fix would be to add a colon s