PoC (PHP Version):

 header('Set-Cookie: test=123; max-age=a');  //  PoC 1
 header('Set-Cookie: test=123; domain=;');  //  PoC 2
 header('Set-Cookie: test=123; version=a;');  //  PoC 3

PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except 

        try:
            v = int(v)                 #  lib/cookielib.py:1429
        except ValueError:
            _debug("   missing or invalid (non-numeric) value for "
                  "max-age attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1434

PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record.
    if k == "domain":                  #  lib/cookielib.py:1411
        if v is None:                  #  lib/cookielib.py:1412
            _debug("   missing value for domain attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1415

PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too.
        version = standard.get("version", None)  #  lib/cookielib.py:1469
        if version is not None:
            try:
                version = int(version)  #  lib/cookielib.py:1472
            except ValueError:
                return None  # invalid version, ignore cookie

There are PoCs involve urllib and requests library .

Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day

Can you explain what you think the problem is?  I don't know what your "POC" snippets are trying to demonstrate.

I think LCatro is saying that Python should accept the cookies and discard only the offending attributes. This makes sense to me and tends to agree with the specifications, but the three cases seem all seem unimportant to me.

PoC 1, Max-age:

>>> from urllib2 import Request
>>> from test.test_cookielib import FakeResponse
>>> cookies = CookieJar(DefaultCookiePolicy())
>>> request = Request('http://127.0.0.1/requests_test.php')
>>> cookies.extract_cookies(FakeResponse(()), request)  # Issue 12144
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; max-age=a',)), request)  # No cookies returned
[]

RFC 6265 says Max-age should be ignored if not does not start with a digit or minus sign: <https://tools.ietf.org/html/rfc6265#section-5.2.2>. Netscape did not specify Max-age at all. So I agree that the cookie should be retained.

PoC 2, Domain: You have to omit the equals sign to satisfy “v is None” and discard the cookie record, otherwise “v” is just an empty string '':

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain=;',)), request)  # v == ''
[Cookie(version=0, name='test', value='123', port=None, port_specified=False, domain='.', domain_specified=True, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)]
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain;',)), request)  # v is None
[]

RFC 6265 says both these cases should be treated the same, and recommends ignoring Domain in these cases.

PoC 3, Version:

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; version=a;',)), request)  # No cookies returned
[]

The Version attribute is only specified by RFC 2109. Since the IETF has obsoleted it, I suggest to deprecate RFC 2109 support in the Python module. That way, if a real problem is demonstrated, we can remove the parts that are causing the problem.

So, PoC shows how an empty domain attribute (Domain=) is erroneously turned into a dot (.).

I want to add that a dot (Domain=.) should be turned into an empty string (the specification asks to remove a leading dot if found).