]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8aa7e99)
#9824: encode , and ; in cookie values so that browsers don't split on them
authorR. David Murray <rdmurray@bitdance.com>
Tue, 28 Dec 2010 18:54:13 +0000 (18:54 +0000)
committerR. David Murray <rdmurray@bitdance.com>
Tue, 28 Dec 2010 18:54:13 +0000 (18:54 +0000)
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies.  Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.

Lib/http/cookies.py patch | blob | history
Lib/test/test_http_cookies.py patch | blob | history
Misc/NEWS patch | blob | history

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index fb9589c6aa7deb7176dfbc1eab7831f5307a7c54..93da62791df4f3389e731cef910323fae565e417 100644 (file)
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -173,6 +173,11 @@ _Translator       = {
     '\033' : '\\033',  '\034' : '\\034',  '\035' : '\\035',
     '\036' : '\\036',  '\037' : '\\037',
 
+    # Because of the way browsers really handle cookies (as opposed
+    # to what the RFC says) we also encode , and ;
+
+    ',' : '\\054', ';' : '\\073',
+
     '"' : '\\"',       '\\' : '\\\\',
 
     '\177' : '\\177',  '\200' : '\\200',  '\201' : '\\201',
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index b008e0ff2a50dd0306129395fb3a731e4001b0e7..f9a98c4ae1427107f4872a3b29a5b0a24ecb3637 100644 (file)
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -69,6 +69,14 @@ class CookieTests(unittest.TestCase):
         </script>
         """)
 
+    def test_extended_encode(self):
+        # Issue 9824: some browsers don't follow the standard; we now
+        # encode , and ; to keep them from tripping up.
+        C = cookies.SimpleCookie()
+        C['val'] = "some,funky;stuff"
+        self.assertEqual(C.output(['val']),
+            'Set-Cookie: val="some\\054funky\\073stuff"')
+
     def test_special_attrs(self):
         # 'expires'
         C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
diff --git a/Misc/NEWS b/Misc/NEWS
index f69abcf1d1a73e2b60b5cfae28b834d35b601a42..8eec18e32163f4ad7ccc924e5bdad8ba8dd903d8 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -20,6 +20,9 @@ Core and Builtins
 Library
 -------
 
+- Issue 9824: SimpleCookie now encodes , and ; in values to cater to how
+  browsers actually parse cookies.
+
 - Issue 9333: os.symlink now available regardless of user privileges.
   The function now raises OSError on Windows >=6.0 when the user is unable
   to create symbolic links. XP and 2003 still raise NotImplementedError.
Unnamed repository; edit this file 'description' to name the repository.