Author chfoo
Recipients chfoo
Date 2014-12-31.05:06:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1420002389.34.0.647467472383.issue23138@psf.upfronthosting.co.za>
In-reply-to
Content
Something like "Set-Cookie: ; Expires=Thu, 01 Jan 1970 00:00:10 GMT" causes the resulting cookie.value to be parsed as an int.

I expected either str or None as described in the documentation.

Example evil server:

    try:
        import http.server as http_server
    except ImportError:
        import BaseHTTPServer as http_server


    class MyHandler(http_server.BaseHTTPRequestHandler):
        def do_GET(self):
            self.send_response(200)
            self.send_header('Set-Cookie', '; Expires=Thu, 01 Jan 1970 00:00:10 GMT')
            self.send_header('Set-Cookie', 'good=123.45600')
            self.end_headers()


    def main():
        server = http_server.HTTPServer(('127.0.0.1', 8000), MyHandler)
        server.serve_forever()


    if __name__ == '__main__':
        main()
        

Example innocent client:

    try:
        import http.cookiejar as http_cookiejar
    except ImportError:
        import cookielib as http_cookiejar

    try:
        import urllib.request as urllib_request
    except ImportError:
        import urllib2 as urllib_request
        

    def main():
        cj = http_cookiejar.CookieJar()
        opener = urllib_request.build_opener(urllib_request.HTTPCookieProcessor(cj))
        r = opener.open("http://127.0.0.1:8000/")
        
        print(cj._cookies)

    if __name__ == '__main__':
        main()


The resulting output is:

{'127.0.0.1': {'/': {'expires': Cookie(version=0, name='expires', value=10.0, port=None, port_specified=False, domain='127.0.0.1', domain_specified=False, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False), 'good': Cookie(version=0, name='good', value='123.45600', port=None, port_specified=False, domain='127.0.0.1', domain_specified=False, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)}}}

It gives two cookies where the first one contains name='expires', value=10.0 which is unexpected. I expected that either the bad cookie is discarded or it is accepted but the value is always a str (even if it is garbage) or None.

This bug was found in my custom cookie policy where I do len(cookie.value or ''). There is also a reference on StackOverflow but I believe no Python library bug report was filed: http://stackoverflow.com/q/20325571/1524507 . 

This was tested on Python 2.7.8, 3.2.6, 3.3.6, and 3.4.2.
History
Date User Action Args
2014-12-31 05:06:29chfoosetrecipients: + chfoo
2014-12-31 05:06:29chfoosetmessageid: <1420002389.34.0.647467472383.issue23138@psf.upfronthosting.co.za>
2014-12-31 05:06:29chfoolinkissue23138 messages
2014-12-31 05:06:26chfoocreate