classification
Title: SimpleCookie should escape commas and semi-colons
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.1, Python 3.2, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: georg.brandl Nosy List: eric.araujo, georg.brandl, r.david.murray, spookylukey
Priority: critical Keywords: patch

Created on 2010-09-10 16:50 by spookylukey, last changed 2010-12-28 19:11 by r.david.murray. This issue is now closed.

Files
File name Uploaded Description Edit
simplecookie_fix.diff spookylukey, 2010-09-10 16:50 patch
cookies_extra_coding.patch r.david.murray, 2010-12-17 02:51
Messages (7)
msg116030 - (view) Author: Luke Plant (spookylukey) Date: 2010-09-10 16:50
In developing Django, we found that some browsers don't treat commas and semi-colons in cookie values (i.e. the Set-Cookie header) the way that RFC 2109 says they should. (Safari splits the header on a comma followed by space, Internet Explorer splits on semi-colons - both irrespective of any 'quoting').

The result is that if you use SimpleCookie to create Set-Cookie headers, where the cookie value contains a comma or semi-colon, you can get all kinds of breakage. 

In the end, we realised that the RFCs are kind of irrelevant, and we have to look at what browsers actually do.  So, it would be much more useful if semi-colons and commas were escaped the way that other characters are by SimpleCookie.

Our discussion/findings are here:
http://code.djangoproject.com/ticket/12470#comment:4
http://groups.google.com/group/django-developers/msg/2cb729938e8e67ca

The patch to Cookie.py (Python 2.X) or http/cookies.py (Python 3.X) is simple and follows. I'm assuming that this applies to Python 3.2 and 3.3, but I haven't checked.
msg116031 - (view) Author: Luke Plant (spookylukey) Date: 2010-09-10 17:08
I forgot to mention backwards compatibility:

In the context of Cookie being used in a web application, if developers were relying on literal commas and semi-colons being present in the client side cookie value (e.g. in javascript), the patch will introduce an incompatibility.

A quick review of cookies on my computer shows that 22 out of 3079 have commas in them, and none have semi-colons in them.  For those with commas, there would still only be a problem if they were reading them client side, or not using Python's Cookie library to decode the values server side.
msg116121 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-09-11 21:20
I will have a look at this, it looks like it could at least use a few tests.
msg116142 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2010-09-12 00:59
Thanks for forwarding this upstream.  A tip about Python versions: Bugs are fixed on the active branch, py3k (which will become 3.2), then backported to 3.1 and 2.7.  Security fixes go into 2.5 and 2.6 too.  3.3 means that something won’t make it to 3.2 and is delayed.
msg124175 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2010-12-17 02:51
Here's a patch against py3k with test.  If I'm understanding the issue correctly, this looks like a pretty safe change.
msg124775 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-12-28 09:45
Looks good.
msg124814 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2010-12-28 19:11
Committed to py3k in r87550.  Since the only application that would trip up would be one not using SimpleCookie to read SimpleCookie generated cookies *and* that doesn't implement unescaping (in which case it wasn't really handling SimpleCookie cookies, was it?), I went ahead and backported it to 3.1 in r87551 and 2.7 in r87552.
History
Date User Action Args
2010-12-28 19:11:17r.david.murraysetstatus: open -> closed
nosy: georg.brandl, eric.araujo, r.david.murray, spookylukey
messages: + msg124814

resolution: fixed
stage: patch review -> resolved
2010-12-28 09:45:06georg.brandlsetnosy: georg.brandl, eric.araujo, r.david.murray, spookylukey
messages: + msg124775
2010-12-17 02:51:35r.david.murraysetfiles: + cookies_extra_coding.patch

nosy: + r.david.murray
messages: + msg124175

stage: patch review
2010-09-12 00:59:50eric.araujosetnosy: + eric.araujo

messages: + msg116142
versions: - Python 2.6, Python 2.5, Python 3.3
2010-09-11 21:20:04georg.brandlsetpriority: normal -> critical

nosy: + georg.brandl
messages: + msg116121

assignee: georg.brandl
2010-09-10 17:08:52spookylukeysetmessages: + msg116031
2010-09-10 16:50:08spookylukeycreate