Issue 22983: Cookie parsing should be more permissive

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/67172

classification

Title:	Cookie parsing should be more permissive
Type:	enhancement	Stage:
Components:	Library (Lib)	Versions:	Python 3.5

process

Status:	closed	Resolution:	duplicate
Dependencies:	Superseder:	http.cookies: Handle malformed cookie View: 17340
Assigned To:	Nosy List:	Tim Pierce, Waldemar.Parzonka, demian.brecht, martin.panter, orsenthil, pitrou
Priority:	normal	Keywords:

Created on 2014年12月02日 16:59 by demian.brecht, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Messages (5)
msg232020 - (view)	Author: Demian Brecht (demian.brecht) * (Python triager)	Date: 2014年12月02日 16:59
As found in #22931, if an invalid cookie value is found while parsing, the rest of the cookie is silently ignored. The expected behavior is undefined in RFC 6265, but does state that if unexpected values are encountered that user agents MAY ignore an entire set-cookie string (not just a subsection of it). Given that, invalid cookie portions should likely be handled by either: 1. Ignore the cookie string in its entirety and log an error message, or 2. Ignore invalid cookie-pairs but still parse the rest of the string The latter would likely be the best path (Postel's law and all)
msg232024 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2014年12月02日 17:08
Well, remember that we recently made parsing stricter in response to a security issue...
msg232028 - (view)	Author: Demian Brecht (demian.brecht) * (Python triager)	Date: 2014年12月02日 17:25
Sure, but this is in regards to the initial matching, not the parsing. Because the pattern expects RFC conformity, in this cookie string: Cookie: a=b; c=[; d=r; f=h The only matching parts will be: Cookie: a=b; The rest will be discarded. What I'm proposing is that this should instead result in: Cookie: a=b; d=r; f=h The recent changes would stay intact.
msg232029 - (view)	Author: Demian Brecht (demian.brecht) * (Python triager)	Date: 2014年12月02日 17:26
Sorry, bad example. Replace "[" in the previous example with any actually invalid character.
msg259819 - (view)	Author: Martin Panter (martin.panter) * (Python committer)	Date: 2016年02月08日 05:51
The patch at Issue 25228 should partially do what Demian proposed. Anyway, I think Issue 17340 is basically about the same problem.

History
Date	User	Action	Args
2022年04月11日 14:58:10	admin	set	github: 67172
2016年02月08日 05:51:24	martin.panter	set	status: open -> closed nosy: + martin.panter messages: + msg259819 superseder: http.cookies: Handle malformed cookie resolution: duplicate
2015年06月09日 14:35:59	Tim Pierce	set	nosy: + Tim Pierce
2014年12月03日 09:24:53	Waldemar.Parzonka	set	nosy: + Waldemar.Parzonka
2014年12月02日 17:26:46	demian.brecht	set	messages: + msg232029
2014年12月02日 17:25:51	demian.brecht	set	messages: + msg232028
2014年12月02日 17:08:35	pitrou	set	nosy: + orsenthil, pitrou messages: + msg232024
2014年12月02日 16:59:37	demian.brecht	create

homepage