Message 63038 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	BM
Recipients	BM, jerry.seutter
Date	2008-02-26.12:18:41
SpamBayes Score	0.006575977
Marked as misclassified	No
Message-id	<1204028325.04.0.301053174916.issue2193@psf.upfronthosting.co.za>
In-reply-to

Content
OK, I see and agree there are no actually that standard that we can call as a standard. But let me try to put in the other way again: 1. This documentation refers to the same RFC2109: http://docs.python.org/lib/module-Cookie.html But the RFC is slightly older than next David's edition. 2. David M. Kristol's cookie overview also says that only comma, semi-column and a space is not allowed. Here you go: http://arxiv.org/abs/cs.SE/0105018 3. Java implements the same RFC2109 but supports a colon too, as oppose to Python version. Here is the link to the source of Tomcat 6 (the latest one): http://www.google.com/codesearch? hl=en&q=show:okuSsOjruck:iKnUOb7eVzc:kvBYp8tS5ms&sa=N&ct=rd&cs_p=ftp://apache.mirrors.pair.com/tomcat/tomcat- 6/v6.0.10/src/apache-tomcat-6.0.10-src.zip&cs_f=apache-tomcat-6.0.10- src/java/javax/servlet/http/Cookie.java&start=1 As you can see, there is no 0x3a to be excluded. The snippet is: ----------------------------------------------- private static final String tspecials = ",; "; private boolean isToken(String value) { int len = value.length(); for (int i = 0; i < len; i++) { char c = value.charAt(i); if (c < 0x20 \|\| c >= 0x7f \|\| tspecials.indexOf(c) != -1) return false; } return true; } ----------------------------------------------- I agree, Java is not a standard, but yet another (buggy) language. :-) Still it means something... 4. Perl module from CPAN does the same and allows a colon. http://search.cpan.org/~gaas/libwww-perl-5.808/lib/HTTP/Cookies.pm 5. You probably refer to the old Netscape specs (http://wp.netscape.com/newsref/std/cookie_spec.html) that for instance allows to contain an unquoted "," in the expires field, so usually new parser have to use special ad-hoc way to get it right. The difference between old format of cookies and new one is, that cookie name begins with a $. So the old format expects these cookies to be separated by semi-colon, not comma. 6. I am not very sure that tokens you are talking about are referring to NAME of Set-Cookie NAME=VALUE pair. Because the same section allows a white space between tokens, while it is not very true. Moreover, braces etc are allowed. The reason why comma, space and semi-colon are disallowed, because of parser should know where it what. Other symbols parsers does not care... 7. Maybe we should ask D.Kristol for this after all. :-) Hm... What do you think? :)

OK, I see and agree there are no actually that standard 
that we can call as a standard. But let me try to put in 
the other way again:

1. This documentation refers to the same RFC2109:
http://docs.python.org/lib/module-Cookie.html
But the RFC is slightly older than next David's edition.


2. David M. Kristol's cookie overview also says that only comma, 
semi-column and a space is not allowed. 
Here you go: http://arxiv.org/abs/cs.SE/0105018


3. Java implements the *same* RFC2109 but supports a colon too, 
as oppose to Python version. Here is the link to the source of
Tomcat 6 (the latest one):
http://www.google.com/codesearch?
hl=en&q=show:okuSsOjruck:iKnUOb7eVzc:kvBYp8tS5ms&sa=N&ct=rd&cs_p=ftp://apache.mirrors.pair.com/tomcat/tomcat-
6/v6.0.10/src/apache-tomcat-6.0.10-src.zip&cs_f=apache-tomcat-6.0.10-
src/java/javax/servlet/http/Cookie.java&start=1

As you can see, there is no 0x3a to be excluded. The snippet is:
-----------------------------------------------
private static final String tspecials = ",; ";

private boolean isToken(String value) {
    int len = value.length();
    for (int i = 0; i < len; i++) {
        char c = value.charAt(i);
        if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1)
            return false;
        }
    return true;
}
-----------------------------------------------
I agree, Java is not a standard, but yet another (buggy) language. :-)
Still it means something...


4. Perl module from CPAN does the same and allows a colon.
http://search.cpan.org/~gaas/libwww-perl-5.808/lib/HTTP/Cookies.pm

5. You probably refer to the old Netscape specs 
(http://wp.netscape.com/newsref/std/cookie_spec.html) that 
for instance allows to contain an unquoted "," in the expires 
field, so usually new parser have to use special ad-hoc way to 
get it right. 

The difference between old format of cookies and new one is,
that cookie name begins with a $. So the old format expects 
these cookies to be separated by semi-colon, not comma. 


6. I am not very sure that tokens you are talking about are
referring to NAME of Set-Cookie NAME=VALUE pair. Because the
same section allows a white space between tokens, while it is
not very true. Moreover, braces etc *are* allowed. The reason
why comma, space and semi-colon are disallowed, because of
parser should know where it what. Other symbols parsers does
not care...


7. Maybe we should ask D.Kristol for this after all. :-)


Hm... What do you think? :)

History
Date	User	Action	Args
2008-02-26 12:18:45	BM	set	spambayes_score: 0.00657598 -> 0.006575977 recipients: + BM, jerry.seutter
2008-02-26 12:18:45	BM	set	spambayes_score: 0.00657598 -> 0.00657598 messageid: <1204028325.04.0.301053174916.issue2193@psf.upfronthosting.co.za>
2008-02-26 12:18:44	BM	link	issue2193 messages
2008-02-26 12:18:42	BM	create