➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2004-07-15 00:17 byzenzen, last changed2022-04-11 14:56 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| 991266test.patch | zdobersek,2009-02-14 17:14 | Patch to test_cookie.py | review | |
| 991266fix.patch | zdobersek,2009-02-18 14:40 | Fix - properly quote cookie's comment | review | |
| issue991266.diff | berker.peksag,2016-04-25 12:04 | review | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 6555 | merged | berker.peksag,2018-04-20 21:29 | |
| PR 6570 | merged | miss-islington,2018-04-22 23:48 | |
| PR 6571 | merged | miss-islington,2018-04-22 23:49 | |
| Messages (15) | |||
|---|---|---|---|
| msg60528 -(view) | Author: Stuart Bishop (zenzen) | Date: 2004-07-15 00:17 | |
The quoting works fine for cookie values, but doesn't kick in for attributes like Comment. >>> c = SimpleCookie()>>> c['foo'] = u'\N{COPYRIGHT SIGN}'.encode('UTF8')>>> print str(c)Set-Cookie: foo="\302\251";>>> c['foo']['comment'] = u'\N{BIOHAZARD SIGN}'.encode('UTF8')>>> print str(c)Set-Cookie: foo="\302\251"; Comment=?;>>> str(c)'Set-Cookie: foo="\\302\\251"; Comment=\xe2\x98\xa3;'>>> | |||
| msg82094 -(view) | Author: Zan Dobersek (zdobersek) | Date: 2009-02-14 17:14 | |
This patch adds an unicode character, converted to UTF8 as a cookie'scomment and then checks if it is correctly quoted. | |||
| msg82418 -(view) | Author: Zan Dobersek (zdobersek) | Date: 2009-02-18 14:40 | |
This patch properly quotes cookie's comment and successfully passestest_cookie.py with applied patch. | |||
| msg82420 -(view) | Author: Daniel Diniz (ajaksu2)* | Date: 2009-02-18 15:07 | |
Thanks, Zan!All tests pass with both patches applied. Test and fix look correct to me. | |||
| msg110392 -(view) | Author: Mark Lawrence (BreamoreBoy)* | Date: 2010-07-15 22:17 | |
Can someone please take a look at this Cookie.py two line patch. | |||
| msg114367 -(view) | Author: Mark Lawrence (BreamoreBoy)* | Date: 2010-08-19 15:12 | |
Can we have this committed please,msg82420 says the patches are ok. | |||
| msg264172 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2016-04-25 12:04 | |
Here is a patch for Python 3. | |||
| msg315496 -(view) | Author: Alex Gaynor (alex)* | Date: 2018-04-20 00:16 | |
Berker your patch looks good to me.Convert it to a PR and then merge? | |||
| msg315498 -(view) | Author: Mark Williams (Mark.Williams)* | Date: 2018-04-20 02:04 | |
This patch only quotes the Comment attribute, and the rest of the code only quotes attributes if they're of the expected type. Consider Expires:>>> from http.cookies import SimpleCookie>>> c = SimpleCookie()>>> c['name'] = 'value'>>> c['name']['comment'] = '\n'>>> c['name']['expires'] = 123>>> c.output()'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT'>>> c['name']['expires'] = '123; path=.example.invalid''Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid'Here's the offending line:https://github.com/python/cpython/blob/b87c1c92fc93c5733cd3d8606ab2301ca6ba208f/Lib/http/cookies.py#L415Why not quote all attribute values? | |||
| msg315499 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2018-04-20 03:04 | |
>>> from http.cookies import SimpleCookie>>> c = SimpleCookie()>>> c['name'] = 'value'>>> c['name']['comment'] = '\n'>>> c['name']['expires'] = '123; path=.example.invalid''Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid'What do you think that the snippet above should return? 'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT; path=.example.invalid'or 'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT; path=".example.invalid"'or 'Set-Cookie: name=value; Comment="\\012"; expires=123; path=".example.invalid"'?I don't think the path attribute (or all of them) needs to be quoted unconditionally. Looking athttps://tools.ietf.org/html/rfc6265#section-4.1.1, it looks like quoting for cookie-value is optional.Is there a use case or examples from other programming languages you can share with us? | |||
| msg315500 -(view) | Author: Alex Gaynor (alex)* | Date: 2018-04-20 03:07 | |
None of the above :-) I'd expect the last one, but with quoting.You should not be able to set fields in a cookie by injection. | |||
| msg315634 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2018-04-22 23:48 | |
New changesetd5a2377c3d70e4143bcbee4a765b3434e21f683a by Berker Peksag in branch 'master':bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555)https://github.com/python/cpython/commit/d5a2377c3d70e4143bcbee4a765b3434e21f683a | |||
| msg315636 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2018-04-23 00:58 | |
New changeset9fc998d761591f2741d8e94f5b3009c56ae83882 by Berker Peksag (Miss Islington (bot)) in branch '3.7':bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555)https://github.com/python/cpython/commit/9fc998d761591f2741d8e94f5b3009c56ae83882 | |||
| msg315637 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2018-04-23 00:58 | |
New changeset8a6f4b4bba950fb8eead1b176c58202d773f2f70 by Berker Peksag (Miss Islington (bot)) in branch '3.6':bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555)https://github.com/python/cpython/commit/8a6f4b4bba950fb8eead1b176c58202d773f2f70 | |||
| msg316782 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2018-05-16 08:16 | |
I've openedbpo-33535 to discuss Mark Williams' suggestion. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:05 | admin | set | github: 40569 |
| 2018-05-16 08:16:42 | berker.peksag | set | status: open -> closed versions: - Python 2.7 messages: +msg316782 resolution: fixed stage: patch review -> resolved |
| 2018-04-23 00:58:53 | berker.peksag | set | messages: +msg315637 |
| 2018-04-23 00:58:33 | berker.peksag | set | messages: +msg315636 |
| 2018-04-22 23:49:21 | miss-islington | set | pull_requests: +pull_request6268 |
| 2018-04-22 23:48:27 | miss-islington | set | pull_requests: +pull_request6267 |
| 2018-04-22 23:48:14 | berker.peksag | set | messages: +msg315634 |
| 2018-04-20 21:29:51 | berker.peksag | set | pull_requests: +pull_request6251 |
| 2018-04-20 03:07:18 | alex | set | messages: +msg315500 |
| 2018-04-20 03:04:19 | berker.peksag | set | messages: +msg315499 versions: + Python 3.7, Python 3.8, - Python 3.4, Python 3.5 |
| 2018-04-20 02:04:19 | Mark.Williams | set | nosy: +Mark.Williams messages: +msg315498 versions: + Python 3.4 |
| 2018-04-20 00:16:17 | alex | set | nosy: +alex messages: +msg315496 |
| 2016-04-25 12:04:56 | berker.peksag | set | files: +issue991266.diff versions: + Python 3.5, Python 3.6, - Python 3.1, Python 3.2 nosy: +berker.peksag messages: +msg264172 |
| 2014-02-03 19:49:29 | BreamoreBoy | set | nosy: -BreamoreBoy |
| 2010-08-19 15:12:27 | BreamoreBoy | set | messages: +msg114367 |
| 2010-07-15 22:17:56 | BreamoreBoy | set | versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6 |
| 2010-07-15 22:17:00 | BreamoreBoy | set | nosy: +BreamoreBoy messages: +msg110392 |
| 2009-02-18 15:07:02 | ajaksu2 | set | nosy: +ajaksu2 messages: +msg82420 stage: test needed -> patch review |
| 2009-02-18 14:40:15 | zdobersek | set | files: +991266fix.patch messages: +msg82418 |
| 2009-02-14 17:14:14 | zdobersek | set | files: +991266test.patch keywords: +patch messages: +msg82094 nosy: +zdobersek |
| 2009-02-13 21:13:09 | jjlee | set | nosy: -jjlee |
| 2009-02-13 01:18:53 | ajaksu2 | set | nosy: +jjlee stage: test needed type: behavior versions: + Python 2.6, - Python 2.3 |
| 2004-07-15 00:17:04 | zenzen | create | |