[Python-checkins] cpython (merge 3.3 -> default): Merge #16611: BaseCookie now parses 'secure' and 'httponly' flags.

r.david.murray python-checkins at python.org
Sun Aug 25 17:10:11 CEST 2013

• Previous message: [Python-checkins] cpython (3.3): #16611: BaseCookie now parses 'secure' and 'httponly' flags.
• Next message: [Python-checkins] cpython (2.7): Issue #18817: Fix a resource warning in Lib/aifc.py demo.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/f81846c2b746
changeset: 85386:f81846c2b746
parent: 85383:8345fb616cbd
parent: 85385:0dbe45697efc
user: R David Murray <rdmurray at bitdance.com>
date: Sun Aug 25 11:09:45 2013 -0400
summary:
 Merge #16611: BaseCookie now parses 'secure' and 'httponly' flags.
files:
 Lib/http/cookies.py | 29 ++++++++++-----
 Lib/test/test_http_cookies.py | 40 ++++++++++++++++++++++-
 Misc/NEWS | 3 +
 3 files changed, 61 insertions(+), 11 deletions(-)
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -338,6 +338,8 @@
 "version" : "Version",
 }
 
+ _flags = {'secure', 'httponly'}
+
 def __init__(self):
 # Set defaults
 self.key = self.value = self.coded_value = None
@@ -435,15 +437,18 @@
 (?P<key> # Start of group 'key'
 """ + _LegalCharsPatt + r"""+? # Any word of at least one letter
 ) # End of group 'key'
- \s*=\s* # Equal Sign
- (?P<val> # Start of group 'val'
- "(?:[^\\"]|\\.)*" # Any doublequoted string
- | # or
+ ( # Optional group: there may not be a value.
+ \s*=\s* # Equal Sign
+ (?P<val> # Start of group 'val'
+ "(?:[^\\"]|\\.)*" # Any doublequoted string
+ | # or
 \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT # Special case for "expires" attr
- | # or
- """ + _LegalCharsPatt + r"""* # Any word or empty string
- ) # End of group 'val'
- \s*;? # Probably ending in a semi-colon
+ | # or
+ """ + _LegalCharsPatt + r"""* # Any word or empty string
+ ) # End of group 'val'
+ )? # End of optional value group
+ \s* # Any number of spaces.
+ (\s+|;|$) # Ending either at space, semicolon, or EOS.
 """, re.ASCII) # May be removed if safe.
 
 
@@ -549,8 +554,12 @@
 M[key[1:]] = value
 elif key.lower() in Morsel._reserved:
 if M:
- M[key] = _unquote(value)
- else:
+ if value is None:
+ if key.lower() in Morsel._flags:
+ M[key] = True
+ else:
+ M[key] = _unquote(value)
+ elif value is not None:
 rval, cval = self.value_decode(value)
 self.__set(key, rval, cval)
 M = self[key]
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -109,13 +109,51 @@
 self.assertEqual(C.output(),
 'Set-Cookie: Customer="WILE_E_COYOTE"; Max-Age=10')
 
- # others
+ def test_set_secure_httponly_attrs(self):
 C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
 C['Customer']['secure'] = True
 C['Customer']['httponly'] = True
 self.assertEqual(C.output(),
 'Set-Cookie: Customer="WILE_E_COYOTE"; httponly; secure')
 
+ def test_secure_httponly_false_if_not_present(self):
+ C = cookies.SimpleCookie()
+ C.load('eggs=scrambled; Path=/bacon')
+ self.assertFalse(C['eggs']['httponly'])
+ self.assertFalse(C['eggs']['secure'])
+
+ def test_secure_httponly_true_if_present(self):
+ # Issue 16611
+ C = cookies.SimpleCookie()
+ C.load('eggs=scrambled; httponly; secure; Path=/bacon')
+ self.assertTrue(C['eggs']['httponly'])
+ self.assertTrue(C['eggs']['secure'])
+
+ def test_secure_httponly_true_if_have_value(self):
+ # This isn't really valid, but demonstrates what the current code
+ # is expected to do in this case.
+ C = cookies.SimpleCookie()
+ C.load('eggs=scrambled; httponly=foo; secure=bar; Path=/bacon')
+ self.assertTrue(C['eggs']['httponly'])
+ self.assertTrue(C['eggs']['secure'])
+ # Here is what it actually does; don't depend on this behavior. These
+ # checks are testing backward compatibility for issue 16611.
+ self.assertEqual(C['eggs']['httponly'], 'foo')
+ self.assertEqual(C['eggs']['secure'], 'bar')
+
+ def test_bad_attrs(self):
+ # issue 16611: make sure we don't break backward compatibility.
+ C = cookies.SimpleCookie()
+ C.load('cookie=with; invalid; version; second=cookie;')
+ self.assertEqual(C.output(),
+ 'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie')
+
+ def test_extra_spaces(self):
+ C = cookies.SimpleCookie()
+ C.load('eggs = scrambled ; secure ; path = bar ; foo=foo ')
+ self.assertEqual(C.output(),
+ 'Set-Cookie: eggs=scrambled; Path=bar; secure\r\nSet-Cookie: foo=foo')
+
 def test_quoted_meta(self):
 # Try cookie with quoted meta-data
 C = cookies.SimpleCookie()
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -40,6 +40,9 @@
 Library
 -------
 
+- Issue #16611: http.cookie now correctly parses the 'secure' and 'httponly'
+ cookie flags.
+
 - Issue #11973: Fix a problem in kevent. The flags and fflags fields are now
 properly handled as unsigned.
 
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython (3.3): #16611: BaseCookie now parses 'secure' and 'httponly' flags.
• Next message: [Python-checkins] cpython (2.7): Issue #18817: Fix a resource warning in Lib/aifc.py demo.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list