Cookie parsing should be more permissive #67172

demianbrecht · 2014-12-02T16:59:37Z

BPO	22983
Nosy	@orsenthil, @pitrou, @vadmium, @demianbrecht
Superseder	bpo-17340: http.cookies: Handle malformed cookie

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-02-08.05:51:24.433>
created_at = <Date 2014-12-02.16:59:37.480>
labels = ['type-feature', 'library']
title = 'Cookie parsing should be more permissive'
updated_at = <Date 2016-02-08.05:51:24.432>
user = 'https://github.com/demianbrecht'

bugs.python.org fields:

activity = <Date 2016-02-08.05:51:24.432>
actor = 'martin.panter'
assignee = 'none'
closed = True
closed_date = <Date 2016-02-08.05:51:24.433>
closer = 'martin.panter'
components = ['Library (Lib)']
creation = <Date 2014-12-02.16:59:37.480>
creator = 'demian.brecht'
dependencies = []
files = []
hgrepos = []
issue_num = 22983
keywords = []
message_count = 5.0
messages = ['232020', '232024', '232028', '232029', '259819']
nosy_count = 6.0
nosy_names = ['orsenthil', 'pitrou', 'martin.panter', 'demian.brecht', 'Waldemar.Parzonka', 'Tim Pierce']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = None
status = 'closed'
superseder = '17340'
type = 'enhancement'
url = 'https://bugs.python.org/issue22983'
versions = ['Python 3.5']

demianbrecht · 2014-12-02T16:59:37Z

As found in bpo-22931, if an invalid cookie value is found while parsing, the rest of the cookie is silently ignored. The expected behavior is undefined in RFC 6265, but does state that if unexpected values are encountered that user agents MAY ignore an entire set-cookie string (not just a subsection of it). Given that, invalid cookie portions should likely be handled by either:

Ignore the cookie string in its entirety and log an error message, or
Ignore invalid cookie-pairs but still parse the rest of the string

The latter would likely be the best path (Postel's law and all)

pitrou · 2014-12-02T17:08:36Z

Well, remember that we recently made parsing stricter in response to a security issue...

demianbrecht · 2014-12-02T17:25:51Z

Sure, but this is in regards to the initial matching, not the parsing. Because the pattern expects RFC conformity, in this cookie string:

Cookie: a=b; c=[; d=r; f=h

The only matching parts will be:

Cookie: a=b;

The rest will be discarded. What I'm proposing is that this should instead result in:

Cookie: a=b; d=r; f=h

The recent changes would stay intact.

demianbrecht · 2014-12-02T17:26:46Z

Sorry, bad example. Replace "[" in the previous example with any actually invalid character.

vadmium · 2016-02-08T05:51:24Z

The patch at bpo-25228 should partially do what Demian proposed. Anyway, I think bpo-17340 is basically about the same problem.

demianbrecht mannequin added stdlib Python modules in the Lib dir type-feature A feature request or enhancement labels Dec 2, 2014

vadmium closed this as completed Feb 8, 2016

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cookie parsing should be more permissive #67172

Cookie parsing should be more permissive #67172

demianbrecht mannequin commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

pitrou commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

vadmium commented Feb 8, 2016

Cookie parsing should be more permissive #67172

Cookie parsing should be more permissive #67172

Comments

demianbrecht mannequin commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

pitrou commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

demianbrecht mannequin commented Dec 2, 2014

vadmium commented Feb 8, 2016