This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Cookie parsing should be more permissive
Type: enhancement Stage:
Components: Library (Lib) Versions: Python 3.5
Status: closed Resolution: duplicate
Dependencies: Superseder: http.cookies: Handle malformed cookie
View: 17340
Assigned To: Nosy List: Tim Pierce, Waldemar.Parzonka, demian.brecht, martin.panter, orsenthil, pitrou
Priority: normal Keywords:

Created on 2014-12-02 16:59 by demian.brecht, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg232020 - (view) Author: Demian Brecht (demian.brecht) * (Python triager) Date: 2014-12-02 16:59
As found in #22931, if an invalid cookie value is found while parsing, the rest of the cookie is silently ignored. The expected behavior is undefined in RFC 6265, but does state that if unexpected values are encountered that user agents MAY ignore an entire set-cookie string (not just a subsection of it). Given that, invalid cookie portions should likely be handled by either:

1. Ignore the cookie string in its entirety and log an error message, or
2. Ignore invalid cookie-pairs but still parse the rest of the string

The latter would likely be the best path (Postel's law and all)
msg232024 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-12-02 17:08
Well, remember that we recently made parsing stricter in response to a security issue...
msg232028 - (view) Author: Demian Brecht (demian.brecht) * (Python triager) Date: 2014-12-02 17:25
Sure, but this is in regards to the initial matching, not the parsing. Because the pattern expects RFC conformity, in this cookie string:

Cookie: a=b; c=[; d=r; f=h

The only matching parts will be:

Cookie: a=b;

The rest will be discarded. What I'm proposing is that this should instead result in:

Cookie: a=b; d=r; f=h

The recent changes would stay intact.
msg232029 - (view) Author: Demian Brecht (demian.brecht) * (Python triager) Date: 2014-12-02 17:26
Sorry, bad example. Replace "[" in the previous example with any actually invalid character.
msg259819 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-02-08 05:51
The patch at Issue 25228 should partially do what Demian proposed. Anyway, I think Issue 17340 is basically about the same problem.
Date User Action Args
2022-04-11 14:58:10adminsetgithub: 67172
2016-02-08 05:51:24martin.pantersetstatus: open -> closed

nosy: + martin.panter
messages: + msg259819

superseder: http.cookies: Handle malformed cookie
resolution: duplicate
2015-06-09 14:35:59Tim Piercesetnosy: + Tim Pierce
2014-12-03 09:24:53Waldemar.Parzonkasetnosy: + Waldemar.Parzonka
2014-12-02 17:26:46demian.brechtsetmessages: + msg232029
2014-12-02 17:25:51demian.brechtsetmessages: + msg232028
2014-12-02 17:08:35pitrousetnosy: + orsenthil, pitrou
messages: + msg232024
2014-12-02 16:59:37demian.brechtcreate