Title: SimpleCookie Generates Non-RFC6265-Compliant Cookies
Type: behavior Stage: patch review
Components: Documentation Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Ido Michael, docs@python, martin.panter, pdbogen, serhiy.storchaka, taleinat
Priority: normal Keywords: patch

Created on 2013-11-20 20:23 by pdbogen, last changed 2020-06-20 19:49 by Ido Michael.

Pull Requests
URL Status Linked Edit
PR 21017 open Ido Michael, 2020-06-20 19:43
Messages (5)
msg203529 - (view) Author: Patrick Bogen (pdbogen) Date: 2013-11-20 20:23
SimpleCookie uses _quote to quote cookie values, which converts special characters to \OCTAL notation. This is not RFC6265 compliance, which requires- in part- that cookie values do not contain backslashes:

 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash
msg334409 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2019-01-27 00:48
I think the solution here is to document what “SimpleCookie.value_encode” really does: RFC 2109 quoted-string escaping. If you want to a generate RFC-6265-compliant Set-Cookie string, do not include non-compliant characters in the cookie value, and consider using BaseCookie rather than SimpleCookie, especially if your “morsel” values are enclosed in double quotes.
msg370760 - (view) Author: Ido Michael (Ido Michael) * Date: 2020-06-05 12:58
I think it can be closed?
msg371086 - (view) Author: Tal Einat (taleinat) * (Python committer) Date: 2020-06-09 10:07
It seems that the docs haven't been updated regarding this, so I don't think this should be closed. On the contrary, A PR adding a clarification to the docs would be most welcome.
msg371959 - (view) Author: Ido Michael (Ido Michael) * Date: 2020-06-20 19:49
Opened a PR:

The documentation in the internal functions was helpful.
Should I also add it once decided on the format in here? Doc/library/http.cookies.rst:55
Date User Action Args
2020-06-20 19:49:24Ido Michaelsetmessages: + msg371959
2020-06-20 19:43:18Ido Michaelsetkeywords: + patch
stage: patch review
pull_requests: + pull_request20191
2020-06-09 10:07:45taleinatsetcomponents: - Library (Lib)
2020-06-09 10:07:30taleinatsetversions: - Python 3.6
2020-06-09 10:07:20taleinatsetmessages: + msg371086
2020-06-05 12:58:45Ido Michaelsetnosy: + taleinat
2020-06-05 12:58:28Ido Michaelsetnosy: + Ido Michael
messages: + msg370760
2020-05-31 13:38:09serhiy.storchakasetversions: + Python 3.6, Python 3.7, Python 3.8, Python 3.9, Python 3.10, - Python 2.7
2019-01-27 00:48:36martin.pantersetnosy: + docs@python, martin.panter
messages: + msg334409

assignee: docs@python
components: + Documentation
2014-11-18 16:51:05serhiy.storchakasetnosy: + serhiy.storchaka
2013-11-20 20:23:24pdbogencreate