BaseCookie should give an informative error, if a non RFC compliant header was given. The problem was, that we thought several cookies are allowed in one header in a cookie *response* header. However, this is only allowed in cookie *request* headers.
In those cases the output of BaseCookie looks broken, which caused a lot of confusion, since a standard library should not have so many flaws.
Example with parsing a response header with several cookies separated by comma (not allowed by RFC):
http.cookies.BaseCookie('foo=bar, oof=rab; httponly, bar=baz').output()
'Set-Cookie: bar=baz\r\nSet-Cookie: foo=bar,\r\nSet-Cookie: oof=rab'
Flaws:
* comma after 'foo=bar' in output
* the httponly flag was omitted (it would show up with a semi-colon after it, i.e. 'oof=rab; httponly;')
* input and output style are different, i.e. several cookies in one line were transformed to several cookies in several lines
I think the best solution is to fail early and hard, if there are several cookies in one header. Maybe some problems should be fixed anyway (trailing comma, different output style).
|