Message 259718 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jaraco
Recipients	jaraco, serhiy.storchaka
Date	2016-02-06.05:18:49
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1454735930.3.0.423422750364.issue26302@psf.upfronthosting.co.za>
In-reply-to

Content
Commas aren't legal characters in cookie keys, yet in Python 3.5, they're allowed: >>> bool(http.cookies._is_legal_key(',')) True The issue lies in the use of _LegalChars constructing a regular expression. "Some people, when confronted with a problem, think 'I know, I'll use regular expressions.' Now they have two problems." The issue arises in this line: _is_legal_key = re.compile('[%s]+' % _LegalChars).fullmatch Which was added in 88e1151e8e0242 referencing issue2211. The problem is that in a regular expression, and in a character class in particular, the '-' character has a special meaning if not the first character in the class, which is "span all characters between the leading and following characters". As a result, the pattern has the unintended effect of including the comma in the pattern: >>> http.cookies._is_legal_key.__self__ re.compile("[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&'*+-.^_`\|~:]+") >>> pattern = _ >>> pattern.fullmatch(',') <_sre.SRE_Match object; span=(0, 1), match=','> >>> ord('+') 43 >>> ord('.') 46 >>> ''.join(map(chr, range(43,47))) '+,-.' That's how the comma creeped in. This issue is the underlying cause of https://bitbucket.org/cherrypy/cherrypy/issues/1405/testcookies-fails-on-python-35 and possible other cookie-related bugs in Python. While I jest about regular expressions, I like the implementation. It just needs to account for the extraneous comma, perhaps by escaping the dash: _is_legal_key = re.compile('[%s]+' % _LegalChars.replace('-', '\\-')).fullmatch Also, regression tests for keys containing invalid characters should be added as well.

Commas aren't legal characters in cookie keys, yet in Python 3.5, they're allowed:

>>> bool(http.cookies._is_legal_key(','))
True

The issue lies in the use of _LegalChars constructing a regular expression.

"Some people, when confronted with a problem, think 'I know, I'll use regular expressions.' Now they have two problems."

The issue arises in this line:

_is_legal_key = re.compile('[%s]+' % _LegalChars).fullmatch

Which was added in 88e1151e8e0242 referencing issue2211.

The problem is that in a regular expression, and in a character class in particular, the '-' character has a special meaning if not the first character in the class, which is "span all characters between the leading and following characters". As a result, the pattern has the unintended effect of including the comma in the pattern:

>>> http.cookies._is_legal_key.__self__
re.compile("[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&'*+-.^_`|~:]+")
>>> pattern = _
>>> pattern.fullmatch(',')
<_sre.SRE_Match object; span=(0, 1), match=','>
>>> ord('+')
43
>>> ord('.')
46
>>> ''.join(map(chr, range(43,47)))
'+,-.'

That's how the comma creeped in.

This issue is the underlying cause of https://bitbucket.org/cherrypy/cherrypy/issues/1405/testcookies-fails-on-python-35 and possible other cookie-related bugs in Python.

While I jest about regular expressions, I like the implementation. It just needs to account for the extraneous comma, perhaps by escaping the dash:

_is_legal_key = re.compile('[%s]+' % _LegalChars.replace('-', '\\-')).fullmatch

Also, regression tests for keys containing invalid characters should be added as well.

History
Date	User	Action	Args
2016-02-06 05:18:50	jaraco	set	recipients: + jaraco, serhiy.storchaka
2016-02-06 05:18:50	jaraco	set	messageid: <1454735930.3.0.423422750364.issue26302@psf.upfronthosting.co.za>
2016-02-06 05:18:50	jaraco	link	issue26302 messages
2016-02-06 05:18:49	jaraco	create