This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: BaseCookie does not complain if a non RFC compliant cookie header was given
Type: behavior Stage:
Components: Library (Lib) Versions: Python 3.3, Python 3.4, Python 3.5
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: florianpilz, martin.panter, r.david.murray
Priority: normal Keywords:

Created on 2013-12-03 07:23 by florianpilz, last changed 2022-04-11 14:57 by admin.

Messages (3)
msg205077 - (view) Author: Florian Pilz (florianpilz) Date: 2013-12-03 07:23
BaseCookie should give an informative error, if a non RFC compliant header was given. The problem was, that we thought several cookies are allowed in one header in a cookie *response* header. However, this is only allowed in cookie *request* headers.

In those cases the output of BaseCookie looks broken, which caused a lot of confusion, since a standard library should not have so many flaws.

Example with parsing a response header with several cookies separated by comma (not allowed by RFC):

http.cookies.BaseCookie('foo=bar, oof=rab; httponly, bar=baz').output()
'Set-Cookie: bar=baz\r\nSet-Cookie: foo=bar,\r\nSet-Cookie: oof=rab'

Flaws:

* comma after 'foo=bar' in output
* the httponly flag was omitted (it would show up with a semi-colon after it, i.e. 'oof=rab; httponly;')
* input and output style are different, i.e. several cookies in one line were transformed to several cookies in several lines

I think the best solution is to fail early and hard, if there are several cookies in one header. Maybe some problems should be fixed anyway (trailing comma, different output style).
msg205104 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2013-12-03 12:00
RFCs and cookies don't have much to do with each other in real life.

The 'httponly' flag bug was fixed in issue 16611.

For backward compatibility reasons we can't start raising errors where we didn't raise them before, so if anything is going to be done it will have to be a bit more complicated, and a be a new feature.
msg259818 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-02-08 05:40
Due to the change in Issue 22796, a key without a value (“httponly,” in the example) now causes the parsing operation to be silently aborted. Perhaps we can close this?
History
Date User Action Args
2022-04-11 14:57:54adminsetgithub: 64068
2016-02-08 05:40:37martin.pantersetnosy: + martin.panter
messages: + msg259818
2013-12-03 12:00:59r.david.murraysetnosy: + r.david.murray
messages: + msg205104
2013-12-03 07:23:01florianpilzcreate