This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: http.cookies.CookieError: Illegal key
Type: Stage: resolved
Components: Versions: Python 3.7
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: jaswdr, ra1nb0w
Priority: normal Keywords:

Created on 2021-05-10 18:31 by ra1nb0w, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg393426 - (view) Author: ra1nb0w (ra1nb0w) Date: 2021-05-10 18:30 
The issue arises when there are multiple web applications using the same hostname and a "bad" cookie is stored; the first one (ex. tvheadend) sets a cookie like 'ys-api/mpegts/service=blabla' and the second is a python one that crash with the following:

May 10 18:56:37 hos openwebrx[4575]: Exception happened during processing of request from ('192.168.178.203', 56994)
May 10 18:56:37 hos openwebrx[4575]: Traceback (most recent call last):
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/socketserver.py", line 650, in process_request_thread
May 10 18:56:37 hos openwebrx[4575]:     self.finish_request(request, client_address)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/socketserver.py", line 360, in finish_request
May 10 18:56:37 hos openwebrx[4575]:     self.RequestHandlerClass(request, client_address, self)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3/dist-packages/owrx/http.py", line 40, in __init__
May 10 18:56:37 hos openwebrx[4575]:     super().__init__(request, client_address, server)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/socketserver.py", line 720, in __init__
May 10 18:56:37 hos openwebrx[4575]:     self.handle()
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/server.py", line 426, in handle
May 10 18:56:37 hos openwebrx[4575]:     self.handle_one_request()
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/server.py", line 414, in handle_one_request
May 10 18:56:37 hos openwebrx[4575]:     method()
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3/dist-packages/owrx/http.py", line 46, in do_GET
May 10 18:56:37 hos openwebrx[4575]:     self.router.route(self, self._build_request("GET"))
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3/dist-packages/owrx/http.py", line 55, in _build_request
May 10 18:56:37 hos openwebrx[4575]:     return Request(self.path, method, self.headers)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3/dist-packages/owrx/http.py", line 68, in __init__
May 10 18:56:37 hos openwebrx[4575]:     self.cookies.load(headers["Cookie"])
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/cookies.py", line 529, in load
May 10 18:56:37 hos openwebrx[4575]:     self.__parse_string(rawdata)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/cookies.py", line 593, in __parse_string
May 10 18:56:37 hos openwebrx[4575]:     self.__set(key, rval, cval)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/cookies.py", line 485, in __set
May 10 18:56:37 hos openwebrx[4575]:     M.set(key, real_value, coded_value)
May 10 18:56:37 hos openwebrx[4575]:   File "/usr/lib/python3.7/http/cookies.py", line 352, in set
May 10 18:56:37 hos openwebrx[4575]:     raise CookieError('Illegal key %r' % (key,))
May 10 18:56:37 hos openwebrx[4575]: http.cookies.CookieError: Illegal key 'ys-api/mpegts/service'

Is there a way to avoid this (just a warning) or the only solution is to filter the load(headers["Cookie"]) input?

thank you
msg393539 - (view) Author: Jonathan Schweder (jaswdr) * Date: 2021-05-12 17:57 
Simple example to reproduce the issue:

from http import cookies
C = cookies.SimpleCookie()
C["ys-api/mpegts/service"] = "blabla"
print(C.output())

@ra1nb0w so far as I have found [1][2], the "/" not a valid character for the Cookie name, [3] defines the list of valid characters and [4] is where the exception is raised, I also found that even with the RFC browsers have different rules for the Cookie name definitions, this could be reason why Python has, for example, the ":" character in the list.

My conclusion is that the rule for the cookie name is not well-defined, there are some ambiguities here and there, but if we consider purely this case and the RFC, the "/" still is not a valid character for the cookie name, so I guess the best option for you is to filter it out any http.cookies.CookieError that happen.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
[2] https://datatracker.ietf.org/doc/html/rfc2616#section-2.2
[3] https://github.com/python/cpython/blob/main/Lib/http/cookies.py#L162
[4] https://github.com/python/cpython/blob/main/Lib/http/cookies.py#L353
msg393555 - (view) Author: ra1nb0w (ra1nb0w) Date: 2021-05-13 05:32 
Thank you very much jaswdr for the clarification.
Now I close this issue.
msg393585 - (view) Author: ra1nb0w (ra1nb0w) Date: 2021-05-13 15:13 
Just another question: jaswdr, can you provide an example on how to filter out http.cookies.CookieError? thanks
History
Date User Action Args
2022-04-11 14:59:45adminsetgithub: 88270
2021-05-13 15:13:28ra1nb0wsetmessages: + msg393585
2021-05-13 05:32:04ra1nb0wsetstatus: open -> closed
resolution: not a bug
messages: + msg393555

stage: resolved
2021-05-12 17:57:38jaswdrsetnosy: + jaswdr
messages: + msg393539
2021-05-10 18:31:00ra1nb0wcreate