Author sirkonst
Recipients sirkonst
Date 2019-06-14.08:41:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1560501690.14.0.434114387204.issue37277@roundup.psfhosted.org>
In-reply-to
Content
Very strange case but https://www.ietf.org/rfc/rfc2109.txt (see 4.1  Syntax:  General) defines that "= value" is optional for attribute-value pairs for header Cookie.

And SimpleCookie fully broken if meets attribute without value, example:

```
>>> from http.cookies import SimpleCookie

# all ok
>>> SimpleCookie('a=1')
<SimpleCookie: a='1'>

# parse fully broken and does not parse not only `test` but `a` too
>>> SimpleCookie('test; a=1')
<SimpleCookie: >

# or
>>> SimpleCookie('a=1; test; b=2')
<SimpleCookie: >
```

I think the problem hasn't been noticed for so long because people usually use frameworks, for example, Django parse it correctly because has workaround - https://github.com/django/django/blob/master/django/http/cookie.py#L20.

Also Go Lang handle that case too, example - https://play.golang.org/p/y0eFXVq6byK

(How can you see Go Lang and Django has different behavior for that case and I think Go Lang more better do it.)

The problem seems minor not but aiohttp use SimpleCookie as is (https://github.com/aio-libs/aiohttp/blob/3.5/aiohttp/web_request.py#L482) and if request has that strange cookie value mixed with other normal values - all cookies can not be parsed by aiohttp (just request.cookies is empty). 

In real world in my web application (based on aiohttp) it fully break authentication for request based on cookies.

I hope that will be fixed for SimpleCookie without implement workaround for aiohttp like Django.
History
Date User Action Args
2019-06-14 08:41:30sirkonstsetrecipients: + sirkonst
2019-06-14 08:41:30sirkonstsetmessageid: <1560501690.14.0.434114387204.issue37277@roundup.psfhosted.org>
2019-06-14 08:41:30sirkonstlinkissue37277 messages
2019-06-14 08:41:29sirkonstcreate