New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie parsing should be more permissive #67172
Comments
As found in bpo-22931, if an invalid cookie value is found while parsing, the rest of the cookie is silently ignored. The expected behavior is undefined in RFC 6265, but does state that if unexpected values are encountered that user agents MAY ignore an entire set-cookie string (not just a subsection of it). Given that, invalid cookie portions should likely be handled by either:
The latter would likely be the best path (Postel's law and all) |
Well, remember that we recently made parsing stricter in response to a security issue... |
Sure, but this is in regards to the initial matching, not the parsing. Because the pattern expects RFC conformity, in this cookie string: Cookie: a=b; c=[; d=r; f=h The only matching parts will be: Cookie: a=b; The rest will be discarded. What I'm proposing is that this should instead result in: Cookie: a=b; d=r; f=h The recent changes would stay intact. |
Sorry, bad example. Replace "[" in the previous example with any actually invalid character. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: