Title: js_output wrong for cookies with " characters
Type: behavior Stage:
Components: Library (Lib), Tests Versions: Python 3.1, Python 2.7
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: noufal, orsenthil, vstinner
Priority: normal Keywords: patch

Created on 2009-01-06 21:44 by noufal, last changed 2009-04-02 03:04 by orsenthil. This issue is now closed.

File name Uploaded Description Edit
cookie.patch noufal, 2009-01-06 21:44 Patch to fix js_output for cookies with an unquoted " character
cookie-2.patch vstinner, 2009-01-07 09:37
issue4860.diff orsenthil, 2009-04-01 23:33
Messages (8)
msg79292 - (view) Author: Noufal (noufal) Date: 2009-01-06 21:44
If a cookie is created with a " character in the content, the js_output
which is emitted is bad javascript. eg.
>>> import Cookie
>>> c=Cookie.Cookie('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
>>> print c
Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme; Version=1
>>> print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="WILE_E_COYOTE"; Path=/acme; Version=1";
        // end hiding -->

Also, the test_cookie tests (test_load) explicitly checks for this
(wrong) output.

I have attached a patch that seems to fix this or at the very least
produces the same Cookie settings whether the cookie is set using the
header or using javascript (I've verified this on firefox on Linux).
msg79312 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-07 09:37
The patch looks correct but it breaks the unit test: updated patch 
fixes Lib/test/
msg79336 - (view) Author: Noufal (noufal) Date: 2009-01-07 15:18
A lot of the cookie tests need to be updated. A separate bug was filed
regarding this. 

I'm working on that now and will apply your patch there as well.
msg79339 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-07 15:25
The characters <>& should also be escaped.
msg79909 - (view) Author: Noufal (noufal) Date: 2009-01-15 18:12
What's wrong with < and >?

I can see the issues with ; though.
msg79915 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-15 19:53
> What's wrong with < and >?

>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="</script>"";
        // end hiding -->

It allows HTML/Javascript injection. Well, Python 2.5 already displays 
a warning:

/usr/lib/python2.5/ DeprecationWarning: 
Cookie/SmartCookie class is insecure; do not use it

The right fix is maybe to remove deprecated and unsecure function!
msg85121 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2009-04-01 23:33
Cookie.Cookie is deprecated in Py2k. In Py3k, it is
http.cookies.SimpleCookie. The bug was present in Py3k, the attached
patch fixes it.
msg85149 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2009-04-02 03:04
Because SimpleCookie class is still usable (that is not deprecated), it
makes sense to back port to Py2.7.
Applied the patches in revision 71030 and r71029. Thanks.
Date User Action Args
2009-04-02 03:04:54orsenthilsetstatus: open -> closed

messages: + msg85149
versions: + Python 3.1
2009-04-01 23:33:13orsenthilsetfiles: + issue4860.diff

nosy: + orsenthil
messages: + msg85121

assignee: orsenthil
resolution: accepted
2009-01-15 19:53:55vstinnersetmessages: + msg79915
2009-01-15 18:12:29noufalsetmessages: + msg79909
2009-01-07 15:25:14vstinnersetmessages: + msg79339
2009-01-07 15:18:14noufalsetmessages: + msg79336
2009-01-07 09:37:19vstinnersetfiles: + cookie-2.patch
nosy: + vstinner
messages: + msg79312
2009-01-06 21:44:10noufalcreate