classification
Title: Cookies without values are silently ignored (by design?)
Type: Stage: resolved
Components: Library (Lib) Versions:
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Backport Cookie fix to 2.7 (httponly / secure flag)
View: 19870
Assigned To: orsenthil Nosy List: akuchling, andresriancho, berker.peksag, facundobatista, jjlee, orsenthil, sirilyan
Priority: normal Keywords:

Created on 2004-09-14 18:05 by sirilyan, last changed 2014-02-05 18:37 by berker.peksag. This issue is now closed.

Messages (13)
msg22444 - (view) Author: Doug Sheppard (sirilyan) Date: 2004-09-14 18:05
Cookie._CookiePattern is the regular expression used to
retrieve cookies from the HTTP_COOKIE environment
variable.  This pattern assumes that all cookies are in
"name=value" format.  A cookie that doesn't have an
"=value" component is silently skipped over.  (It's
easy to generate a cookie like that - in JavaScript,
document.cookie="broken" is all it takes.)

>>> import Cookie
>>> q = Cookie.SimpleCookie("pie=good; broken;
other=thing")
>>> q
<SimpleCookie: other='thing' pie='good'>

If ignoring cookies without a "=value" component is
intended behaviour, it'd be nice to have a code comment
warning that's what happens.  If it's a bug, the cookie
should be set with an empty value.
msg22445 - (view) Author: John J Lee (jjlee) Date: 2005-06-29 20:02
Logged In: YES 
user_id=261020

Though I had previously assumed stability is more important
than the precise details of what module Cookie does (since
you can choose what cookies you send, the only important
thing is that behaviour is relatively sane, and does the job
-- in a standards-compliant way -- with browsers).  But I
suppose one can have JS code or other web app code
maintained by others, and have to understand cookies that
were emitted by that code.  Is that your situation?

Do 'serious' web developers use module Cookie, or do people
now tend to use web frameworks' own cookie code (personally
I don't use cookies in my web application work).  If the
former, perhaps we should not tinker with this module.
msg22446 - (view) Author: John J Lee (jjlee) Date: 2005-07-01 17:22
Logged In: YES 
user_id=261020

In the last sentence of my previous comment, I meant to say:
"if the latter".
msg74511 - (view) Author: Andres Riancho (andresriancho) Date: 2008-10-08 03:08
Sorry to bother you guys after so much time, but I think that there is
at least one bit of the RFC that isn't respected by this "name=value"
thing... If we look at the RFC we'll see this:

   cookie-av       =       "Comment" "=" value
                   |       "Domain" "=" value
                   |       "Max-Age" "=" value
                   |       "Path" "=" value
                   |       "Secure"
                   |       "Version" "=" 1*DIGIT

As you may have noticed, "Secure" doesn't have any values. Also, (but
out of the RFC) there is a commonly used cookie flag named "HttpOnly"
[0], which would be nice to correctly parse also.

Should _CookiePattern be modified to address this issue? 

[0] http://www.owasp.org/index.php/HTTPOnly
msg74548 - (view) Author: Andres Riancho (andresriancho) Date: 2008-10-08 21:47
The RFC I'm talking about is: http://www.ietf.org/rfc/rfc2109.txt
msg74609 - (view) Author: John J Lee (jjlee) Date: 2008-10-09 23:29
You haven't said what the specific problem is.  Note that the
SimpleCookie class really represents a set of cookies, and the Morsel
class represents a single cookie.  It seems that setting special
value-less cookie-attributes like "secure" works:

Python 2.5.2 (r252:60911, Jul 31 2008, 17:28:52) 
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import Cookie
>>> c = Cookie.SimpleCookie("spam=eggs; foo=bar")
>>> c.output()
'Set-Cookie: foo=bar\r\nSet-Cookie: spam=eggs'
>>> c["foo"]["secure"] = 1
>>> c.output()
'Set-Cookie: foo=bar; secure\r\nSet-Cookie: spam=eggs'

HttpOnly support was added here:

http://bugs.python.org/issue1638033

However, I don't know why BaseCookie.load() treats "secure" or
"HttpOnly" specially at all -- those names are not special in Cookie:
heders.
msg74614 - (view) Author: Andres Riancho (andresriancho) Date: 2008-10-10 02:15
My problem, and the problem if the original bug reporter (sirilyan) is
that the load method ignores names that don't have values. Quoting the
original bug report:

>>> import Cookie
>>> q = Cookie.SimpleCookie("pie=good; broken;
other=thing")
>>> q
<SimpleCookie: other='thing' pie='good'>

The original bug report suggested raising a warning or something. I
don't like that idea too much. What I would like to see is the "secure"
cookie parameter, which BY RFC has no value, be parsed as expected.

Right now is you .load() a cookie that looks like this: "a=b; secure"
and then you want to write that cookie back, you loose the secure parameter!

dz0@brick:~$ python
Python 2.5.2 (r252:60911, Jul 31 2008, 17:28:52) 
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import Cookie
>>> C = Cookie.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger")
>>> print C
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
>>> C.load("chips=ahoy; vienna=finger; secure")
>>> print C
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
>>> 

I'm not sure if I'm being clear enough, please tell me if you need me to
rewrite something, or use other examples.
msg74637 - (view) Author: John J Lee (jjlee) Date: 2008-10-10 18:15
I was responding to your comment of 2008-10-08 03:08, not to the opening
comment.  I already responded to the opening comment.
msg74638 - (view) Author: Andres Riancho (andresriancho) Date: 2008-10-10 18:21
- Problem: The secure flag of cookies is ignored by the load method.

- Why is it related to this issue? Because the secure flag is a name
without a value:

pie=good; other=thing; secure

- Why is it bad?
Because the RFC says that we should parse it.
msg74640 - (view) Author: John J Lee (jjlee) Date: 2008-10-10 18:40
The Cookie: header does not have a "secure flag" (The Set-Cookie: header
does).

I don't strongly object to the issue identified in the original comment
being fixed.
msg114377 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-08-19 16:31
Any interest in this?
msg121272 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2010-11-16 08:29
Revisiting this issue.

- Cookie: should contain name=value pairs
- Set-Cookie: header can contain a single word like 'secure'

The current design is along the same lines only.
In the original comment, the request had asked to document the behavior of Cookie class ignoring the nameless values. That should be okay.
msg210336 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2014-02-05 18:37
This was fixed in issue 16611 (for 3.3 and 3.4) and there is a open issue for 2.7: issue 19870. I'm closing this one as a duplicate of issue 19870, because it has a patch.

>>> from http import cookies
>>> C = cookies.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger; secure")
>>> print(C)
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger; secure
>>> C['vienna']['secure']
True
History
Date User Action Args
2014-02-05 18:37:57berker.peksagsetstatus: open -> closed

superseder: Backport Cookie fix to 2.7 (httponly / secure flag)

nosy: + berker.peksag
messages: + msg210336
resolution: duplicate
stage: resolved
2014-02-03 19:18:25BreamoreBoysetnosy: - BreamoreBoy
2010-11-16 08:29:46orsenthilsetassignee: orsenthil

messages: + msg121272
nosy: + orsenthil
2010-11-12 21:03:49akuchlingsetassignee: akuchling -> (no value)
2010-08-19 16:31:38BreamoreBoysetnosy: + BreamoreBoy
messages: + msg114377
2008-10-10 18:40:08jjleesetmessages: + msg74640
2008-10-10 18:21:06andresrianchosetmessages: + msg74638
2008-10-10 18:15:53jjleesetmessages: + msg74637
2008-10-10 02:15:32andresrianchosetmessages: + msg74614
2008-10-09 23:29:12jjleesetmessages: + msg74609
2008-10-08 21:47:52andresrianchosetmessages: + msg74548
2008-10-08 11:54:15facundobatistasetnosy: + facundobatista
2008-10-08 03:08:03andresrianchosetnosy: + andresriancho
messages: + msg74511
2004-09-14 18:05:42sirilyancreate