From: R. David Murray <rdmurray@bitdance.com>
Date: Tue, 28 Dec 2010 19:11:03 +0000 (+0000)
Subject: Merged revisions 87550 via svnmerge from
X-Git-Tag: v2.7.2rc1~431
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=08fc701714e294279bb313d2f13c7486d3ee8b7f;p=python

Merged revisions 87550 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87550 | r.david.murray | 2010-12-28 13:54:13 -0500 (Tue, 28 Dec 2010) | 8 lines

  #9824: encode , and ; in cookie values so that browsers don't split on them

  There is a small chance of backward incompatibility here, but only for
  non-SimpleCookie applications reading SimpleCookie generated cookies.  Even
  then, any such ap is likely to be handling escaped values already, and it would
  take a fairly perverse implementation of unescaping to fail to unescape these
  newly escaped chars, so the risk seems minimal.
........
---

diff --git a/Lib/Cookie.py b/Lib/Cookie.py
index b4f9db4e82..323450b38a 100644
--- a/Lib/Cookie.py
+++ b/Lib/Cookie.py
@@ -258,6 +258,11 @@ _Translator       = {
     '\033' : '\\033',  '\034' : '\\034',  '\035' : '\\035',
     '\036' : '\\036',  '\037' : '\\037',
 
+    # Because of the way browsers really handle cookies (as opposed
+    # to what the RFC says) we also encode , and ;
+
+    ',' : '\\054', ';' : '\\073',
+
     '"' : '\\"',       '\\' : '\\\\',
 
     '\177' : '\\177',  '\200' : '\\200',  '\201' : '\\201',
diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py
index 0e74ccf6a4..d09398dca1 100644
--- a/Lib/test/test_cookie.py
+++ b/Lib/test/test_cookie.py
@@ -72,6 +72,14 @@ class CookieTests(unittest.TestCase):
         self.assertEqual(C['Customer']['expires'],
                          'Wed, 01-Jan-98 00:00:00 GMT')
 
+    def test_extended_encode(self):
+        # Issue 9824: some browsers don't follow the standard; we now
+        # encode , and ; to keep them from tripping up.
+        C = Cookie.SimpleCookie()
+        C['val'] = "some,funky;stuff"
+        self.assertEqual(C.output(['val']),
+            'Set-Cookie: val="some\\054funky\\073stuff"')
+
     def test_quoted_meta(self):
         # Try cookie with quoted meta-data
         C = Cookie.SimpleCookie()
diff --git a/Misc/NEWS b/Misc/NEWS
index 809148cf39..6ffb39a1dc 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -22,6 +22,9 @@ Core and Builtins
 Library
 -------
 
+- Issue 9824: SimpleCookie now encodes , and ; in values to cater to how
+  browsers actually parse cookies.
+
 - Issue #1379416: eliminated a source of accidental unicode promotion in
   email.header.Header.encode.