This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Adam Davis, infinitewarp, martin.panter
Date 2019-01-27.03:56:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1548561393.01.0.662471894413.issue31456@roundup.psfhosted.org>
In-reply-to
Content 
The main cause of this behaviour is that whitespace (matching the ASCII RE “\s”) is treated as separation between cookie “morsels”. It looks like this has always been the behaviour, but I’m not sure it was intended.

>>> print(BaseCookie('first=morsel second=morsel'))
Set-Cookie: first=morsel
Set-Cookie: second=morsel

This could be a security problem, if an attacker managed to inject a CSRF token as the second “morsel”. This was mentioned in <https://translate.google.com/translate?u=https://habr.com/en/post/272187/>.

IMO it would be better to not split off a second morsel. Either keep it as one long morsel value with spaces in, or skip over it to the next semicolon (;).

The reason why the whole cookie string is lost is due to the behaviour of cookie morsels without equals signs:

>>> BaseCookie('cookie=lost; ignore').items()
dict_items([])

IMO it would be better to skip over these to the next semicolon as well. It looks like this is a regression in Python 3.5+ caused by Issue 22796.
History
Date User Action Args
2019-01-27 03:56:34martin.pantersetrecipients: + martin.panter, Adam Davis, infinitewarp
2019-01-27 03:56:33martin.pantersetmessageid: <1548561393.01.0.662471894413.issue31456@roundup.psfhosted.org>
2019-01-27 03:56:33martin.panterlinkissue31456 messages
2019-01-27 03:56:32martin.pantercreate