Message 105407 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jjlee
Recipients	andyk, gregory.p.smith, jjlee, orsenthil, tseaver
Date	2010-05-09.18:58:32
SpamBayes Score	2.8339043e-08
Marked as misclassified	No
Message-id	<1273431515.52.0.0433722340148.issue3704@psf.upfronthosting.co.za>
In-reply-to

Content
It looks to me that it's just request_path that's wrong, so no need to add extra arguments to that function. It should discard the query and fragment (still keeping the "parameters" -- using urlparse.urlsplit instead of urlparse.urlparse would make that simpler). request_path is only called in three places: * We're agreed that the default cookie path should omit the query (and fragment) * Netscape cookies aren't checked for path on setting cookies (.set_ok_path()), so the value of request_path isn't checked in that case * Netscape cookies are checked for path on returning cookies, but including the query & fragment will never make a difference to the .startswith check in .path_return_ok() Finally, even RFC 2965, which nobody cares about, and which does include the path check on setting the cookie, refers to RFC 2396 for the definition of request-URI, and both RFC 2396 and RFC 3986, which obsoletes it, agree that the path doesn't include the query (nor the fragment). Incidentally: the request_path function docstring claims to return the request-URI, but obviously the docstring should say it returns the path component of the request-URI.

It looks to me that it's just request_path that's wrong, so no need to add extra arguments to that function.  It should discard the query and fragment (still keeping the "parameters" -- using urlparse.urlsplit instead of urlparse.urlparse would make that simpler).

request_path is only called in three places:

 * We're agreed that the default cookie path should omit the query (and fragment)
 * Netscape cookies aren't checked for path on setting cookies (.set_ok_path()), so the value of request_path isn't checked in that case
 * Netscape cookies are checked for path on returning cookies, but including the query & fragment will never make a difference to the .startswith check in .path_return_ok()

Finally, even RFC 2965, which nobody cares about, and which does include the path check on setting the cookie, refers to RFC 2396 for the definition of request-URI, and both RFC 2396 and RFC 3986, which obsoletes it, agree that the path doesn't include the query (nor the fragment).

Incidentally: the request_path function docstring claims to return the request-URI, but obviously the docstring should say it returns the path component of the request-URI.

History
Date	User	Action	Args
2010-05-09 18:58:35	jjlee	set	recipients: + jjlee, gregory.p.smith, tseaver, orsenthil, andyk
2010-05-09 18:58:35	jjlee	set	messageid: <1273431515.52.0.0433722340148.issue3704@psf.upfronthosting.co.za>
2010-05-09 18:58:33	jjlee	link	issue3704 messages
2010-05-09 18:58:32	jjlee	create