New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie.py does not correctly quote Morsels #40569
Comments
The quoting works fine for cookie values, but doesn't kick in for >>> c = SimpleCookie()
>>> c['foo'] = u'\N{COPYRIGHT SIGN}'.encode('UTF8')
>>> print str(c)
Set-Cookie: foo="\302\251";
>>> c['foo']['comment'] = u'\N{BIOHAZARD SIGN}'.encode('UTF8')
>>> print str(c)
Set-Cookie: foo="\302\251"; Comment=?;
>>> str(c)
'Set-Cookie: foo="\\302\\251"; Comment=\xe2\x98\xa3;'
>>> |
This patch adds an unicode character, converted to UTF8 as a cookie's |
This patch properly quotes cookie's comment and successfully passes |
Thanks, Zan! All tests pass with both patches applied. Test and fix look correct to me. |
Can someone please take a look at this Cookie.py two line patch. |
Can we have this committed please, msg82420 says the patches are ok. |
Here is a patch for Python 3. |
Berker your patch looks good to me. Convert it to a PR and then merge? |
This patch only quotes the Comment attribute, and the rest of the code only quotes attributes if they're of the expected type. Consider Expires: >>> from http.cookies import SimpleCookie
>>> c = SimpleCookie()
>>> c['name'] = 'value'
>>> c['name']['comment'] = '\n'
>>> c['name']['expires'] = 123
>>> c.output()
'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT'
>>> c['name']['expires'] = '123; path=.example.invalid'
'Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid' Here's the offending line: Line 415 in b87c1c9
Why not quote all attribute values? |
>>> from http.cookies import SimpleCookie
>>> c = SimpleCookie()
>>> c['name'] = 'value'
>>> c['name']['comment'] = '\n'
>>> c['name']['expires'] = '123; path=.example.invalid'
'Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid' What do you think that the snippet above should return?
or
or
? I don't think the path attribute (or all of them) needs to be quoted unconditionally. Looking at https://tools.ietf.org/html/rfc6265#section-4.1.1, it looks like quoting for cookie-value is optional. Is there a use case or examples from other programming languages you can share with us? |
None of the above :-) I'd expect the last one, but with quoting. You should not be able to set fields in a cookie by injection. |
New changeset d5a2377 by Berker Peksag in branch 'master': |
New changeset 9fc998d by Berker Peksag (Miss Islington (bot)) in branch '3.7': |
New changeset 8a6f4b4 by Berker Peksag (Miss Islington (bot)) in branch '3.6': |
I've opened bpo-33535 to discuss Mark Williams' suggestion. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: