classification
Title: http.cookies.SimpleCookie does not parse attribute without value (rfc2109)
Type: Stage:
Components: Versions: Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: SilentGhost, pitrou, sirkonst, xtreak
Priority: normal Keywords:

Created on 2019-06-14 08:41 by sirkonst, last changed 2019-06-14 09:14 by SilentGhost.

Messages (3)
msg345563 - (view) Author: Konstantin Enchant (sirkonst) Date: 2019-06-14 08:41
Very strange case but https://www.ietf.org/rfc/rfc2109.txt (see 4.1  Syntax:  General) defines that "= value" is optional for attribute-value pairs for header Cookie.

And SimpleCookie fully broken if meets attribute without value, example:

```
>>> from http.cookies import SimpleCookie

# all ok
>>> SimpleCookie('a=1')
<SimpleCookie: a='1'>

# parse fully broken and does not parse not only `test` but `a` too
>>> SimpleCookie('test; a=1')
<SimpleCookie: >

# or
>>> SimpleCookie('a=1; test; b=2')
<SimpleCookie: >
```

I think the problem hasn't been noticed for so long because people usually use frameworks, for example, Django parse it correctly because has workaround - https://github.com/django/django/blob/master/django/http/cookie.py#L20.

Also Go Lang handle that case too, example - https://play.golang.org/p/y0eFXVq6byK

(How can you see Go Lang and Django has different behavior for that case and I think Go Lang more better do it.)

The problem seems minor not but aiohttp use SimpleCookie as is (https://github.com/aio-libs/aiohttp/blob/3.5/aiohttp/web_request.py#L482) and if request has that strange cookie value mixed with other normal values - all cookies can not be parsed by aiohttp (just request.cookies is empty). 

In real world in my web application (based on aiohttp) it fully break authentication for request based on cookies.

I hope that will be fixed for SimpleCookie without implement workaround for aiohttp like Django.
msg345564 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2019-06-14 09:07
This could be due to issue22796. See also https://bugs.python.org/issue27828#msg273355.

➜  cpython git:(master) ✗ git checkout b1e36073cdde71468efa27e88016aa6dd46f3ec7~1 Lib/http/cookies.py
➜  cpython git:(master) ✗ ./python.exe -c 'from http.cookies import SimpleCookie; print(SimpleCookie("a=1; test;"))' # parses a=1
Set-Cookie: a=1
➜  cpython git:(master) ✗ git checkout b1e36073cdde71468efa27e88016aa6dd46f3ec7 Lib/http/cookies.py
➜  cpython git:(master) ✗ ./python.exe -c 'from http.cookies import SimpleCookie; print(SimpleCookie("a=1; test;"))' # No value printed
msg345565 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-06-14 09:14
This was previously reported in #27828 and was introduced by #22796 in order to fix potential security issue. Not every attribute would cause the failure to parse, but only an unusual ones (that is normally occurring "reserved" httponly or secure attributes are handled just fine).

I'd propose that a more appropriate course of action would be to stop claiming compliance with RFC 2109 and instead refer to the RFC 6265 as its behaviour is being currently implemented.
History
Date User Action Args
2019-06-14 09:14:43SilentGhostsetnosy: + xtreak
2019-06-14 09:14:30SilentGhostsetnosy: + SilentGhost, pitrou, - xtreak
messages: + msg345565
2019-06-14 09:07:19xtreaksetnosy: + xtreak
messages: + msg345564
2019-06-14 08:41:30sirkonstcreate