classification
Title: Regression in http.cookies parsing with single key without value
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.5
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: SilentGhost, Yuriy Zhuravlev, martin.panter, pitrou
Priority: normal Keywords:

Created on 2016-08-22 11:14 by Yuriy Zhuravlev, last changed 2016-08-22 16:03 by Yuriy Zhuravlev. This issue is now closed.

Messages (4)
msg273355 - (view) Author: Yuriy Zhuravlev (Yuriy Zhuravlev) Date: 2016-08-22 11:14
After I migrated my site to Python 3.5 from 3.4 many users of my site have not been able to login. After small research I found out that users cookies there was a key without value and new Python get empty SimpleCookie result. 
Example for Python 3.5.2:

>>> import http.cookies as Cookie
>>> _cookies = Cookie.SimpleCookie()
>>> _cookies.load("rgoods_1=2; __test;")
>>> _cookies
<SimpleCookie: >

Example for Python 3.4.5:

>>> import http.cookies as Cookie
>>> _cookies = Cookie.SimpleCookie()
>>> _cookies.load("rgoods_1=2; __test;")
>>> _cookies
<SimpleCookie: rgoods_1='2'>

I don't know many about right cookie format but drop the wrong key for me is the best solution. I have seen many discussions about Cookie parsers but I was not see words about single keys. If it will be dublicate I am sorry.
msg273362 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2016-08-22 12:00
The change was implemented in issue22796 and is listed in the what's new document. Any RFC I'm looking at says that the value is required, so your syntax is simply not valid and is rejected by the parser.
msg273369 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-08-22 12:51
I am not the biggest expert on cookie syntaxes, but maybe these reports are related:

Issue 25228: Skip over invalid cookies by searching for a semicolon; needs confirming whether it reopens a security hole

Issue 17340: Problem with a comma in (or preceding) a cookie key

Issue 27674: Handling of cookie value with embedded double quote signs
msg273383 - (view) Author: Yuriy Zhuravlev (Yuriy Zhuravlev) Date: 2016-08-22 16:03
>Any RFC I'm looking at says that the value is required, so your syntax is simply not valid and is rejected by the parser.

Perhaps but this cookies sets not by me (maybe JS ads widget or etc). And I can't fix it. I can't auth users because their cookies wrong. And I can't detect this situation because all process is silent without exception.

>I am not the biggest expert on cookie syntaxes, but maybe these reports are related:

I suppose you are right.
History
Date User Action Args
2016-08-22 16:03:46Yuriy Zhuravlevsetmessages: + msg273383
2016-08-22 12:51:19martin.pantersetnosy: + martin.panter

messages: + msg273369
title: Regression in cookie parsing with single key without value -> Regression in http.cookies parsing with single key without value
2016-08-22 12:00:36SilentGhostsetstatus: open -> closed

nosy: + SilentGhost, pitrou
messages: + msg273362

resolution: not a bug
stage: resolved
2016-08-22 11:14:57Yuriy Zhuravlevcreate