Message 133057 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	carsten.klein@axn-software.de
Recipients	BM, BreamoreBoy, aclover, akuchling, carsten.klein, carsten.klein@axn-software.de, dstanek, georg.brandl, jerry.seutter, jjlee, karlcow, r.david.murray, tim.peters
Date	2011-04-05.18:02:14
SpamBayes Score	0.00015928267
Marked as misclassified	No
Message-id	<1302026536.03.0.724135596442.issue2193@psf.upfronthosting.co.za>
In-reply-to

Content
Guess you are right... I did overlook the quoted-string reference in the RFC: av-pair = attr ["=" value] ; optional value attr = token value = word word = token \| quoted-string The actual production rules for quoted-string are not specified, so I guess that anything resembling unicode data would be allowed in that string provided that: [...] from RFC 2109 10.1.3 Punctuation In Netscape's original proposal, the values in attribute-value pairs did not accept "-quoted strings. Origin servers should be cautious about sending values that require quotes unless they know the receiving user agent understands them (i.e., "new" cookies). A ("new") user agent should only use quotes around values in Cookie headers when the cookie's version(s) is (are) all compliant with this specification or later. in RFC 2965 there is no such notice... However, and this is important, the cookie values not matching token must be quoted by the origin server upon setting and the client must return these as quoted strings as well.

Guess you are right...

I did overlook the quoted-string reference in the RFC:

   av-pair         =       attr ["=" value]        ; optional value
   attr            =       token
   value           =       word
   word            =       token | quoted-string

The actual production rules for quoted-string are not specified, so I guess that anything resembling unicode data would be allowed in that string provided that:

[...] from RFC 2109
10.1.3  Punctuation

   In Netscape's original proposal, the values in attribute-value pairs
   did not accept "-quoted strings.  Origin servers should be cautious
   about sending values that require quotes unless they know the
   receiving user agent understands them (i.e., "new" cookies).  A
   ("new") user agent should only use quotes around values in Cookie
   headers when the cookie's version(s) is (are) all compliant with this
   specification or later.

in RFC 2965 there is no such notice...

However, and this is important, the cookie values not matching token must be quoted by the origin server upon setting and the client must return these as quoted strings as well.

History
Date	User	Action	Args
2011-04-05 18:02:16	carsten.klein@axn-software.de	set	recipients: + carsten.klein@axn-software.de, tim.peters, akuchling, georg.brandl, jjlee, dstanek, jerry.seutter, BM, aclover, r.david.murray, karlcow, BreamoreBoy, carsten.klein
2011-04-05 18:02:16	carsten.klein@axn-software.de	set	messageid: <1302026536.03.0.724135596442.issue2193@psf.upfronthosting.co.za>
2011-04-05 18:02:14	carsten.klein@axn-software.de	link	issue2193 messages
2011-04-05 18:02:14	carsten.klein@axn-software.de	create