I think LCatro is saying that Python should accept the cookies and discard only the offending attributes. This makes sense to me and tends to agree with the specifications, but the three cases seem all seem unimportant to me.
PoC 1, Max-age:
>>> from urllib2 import Request
>>> from test.test_cookielib import FakeResponse
>>> cookies = CookieJar(DefaultCookiePolicy())
>>> request = Request('http://127.0.0.1/requests_test.php')
>>> cookies.extract_cookies(FakeResponse(()), request) # Issue 12144
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; max-age=a',)), request) # No cookies returned
[]
RFC 6265 says Max-age should be ignored if not does not start with a digit or minus sign: <https://tools.ietf.org/html/rfc6265#section-5.2.2>. Netscape did not specify Max-age at all. So I agree that the cookie should be retained.
PoC 2, Domain: You have to omit the equals sign to satisfy “v is None” and discard the cookie record, otherwise “v” is just an empty string '':
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain=;',)), request) # v == ''
[Cookie(version=0, name='test', value='123', port=None, port_specified=False, domain='.', domain_specified=True, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)]
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain;',)), request) # v is None
[]
RFC 6265 says both these cases should be treated the same, and recommends ignoring Domain in these cases.
PoC 3, Version:
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; version=a;',)), request) # No cookies returned
[]
The Version attribute is only specified by RFC 2109. Since the IETF has obsoleted it, I suggest to deprecate RFC 2109 support in the Python module. That way, if a real problem is demonstrated, we can remove the parts that are causing the problem.
|