This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2004年07月15日 00:17 by zenzen, last changed 2022年04月11日 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| 991266test.patch | zdobersek, 2009年02月14日 17:14 | Patch to test_cookie.py | review | |
| 991266fix.patch | zdobersek, 2009年02月18日 14:40 | Fix - properly quote cookie's comment | review | |
| issue991266.diff | berker.peksag, 2016年04月25日 12:04 | review | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 6555 | merged | berker.peksag, 2018年04月20日 21:29 | |
| PR 6570 | merged | miss-islington, 2018年04月22日 23:48 | |
| PR 6571 | merged | miss-islington, 2018年04月22日 23:49 | |
| Messages (15) | |||
|---|---|---|---|
| msg60528 - (view) | Author: Stuart Bishop (zenzen) | Date: 2004年07月15日 00:17 | |
The quoting works fine for cookie values, but doesn't kick in for
attributes like Comment.
>>> c = SimpleCookie()
>>> c['foo'] = u'\N{COPYRIGHT SIGN}'.encode('UTF8')
>>> print str(c)
Set-Cookie: foo="302円251円";
>>> c['foo']['comment'] = u'\N{BIOHAZARD SIGN}'.encode('UTF8')
>>> print str(c)
Set-Cookie: foo="302円251円"; Comment=?;
>>> str(c)
'Set-Cookie: foo="\302円\251円"; Comment=\xe2\x98\xa3;'
>>>
|
|||
| msg82094 - (view) | Author: Zan Dobersek (zdobersek) | Date: 2009年02月14日 17:14 | |
This patch adds an unicode character, converted to UTF8 as a cookie's comment and then checks if it is correctly quoted. |
|||
| msg82418 - (view) | Author: Zan Dobersek (zdobersek) | Date: 2009年02月18日 14:40 | |
This patch properly quotes cookie's comment and successfully passes test_cookie.py with applied patch. |
|||
| msg82420 - (view) | Author: Daniel Diniz (ajaksu2) * (Python triager) | Date: 2009年02月18日 15:07 | |
Thanks, Zan! All tests pass with both patches applied. Test and fix look correct to me. |
|||
| msg110392 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2010年07月15日 22:17 | |
Can someone please take a look at this Cookie.py two line patch. |
|||
| msg114367 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2010年08月19日 15:12 | |
Can we have this committed please, msg82420 says the patches are ok. |
|||
| msg264172 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2016年04月25日 12:04 | |
Here is a patch for Python 3. |
|||
| msg315496 - (view) | Author: Alex Gaynor (alex) * (Python committer) | Date: 2018年04月20日 00:16 | |
Berker your patch looks good to me. Convert it to a PR and then merge? |
|||
| msg315498 - (view) | Author: Mark Williams (Mark.Williams) * | Date: 2018年04月20日 02:04 | |
This patch only quotes the Comment attribute, and the rest of the code only quotes attributes if they're of the expected type. Consider Expires: >>> from http.cookies import SimpleCookie >>> c = SimpleCookie() >>> c['name'] = 'value' >>> c['name']['comment'] = '\n' >>> c['name']['expires'] = 123 >>> c.output() 'Set-Cookie: name=value; Comment="\012円"; expires=2018年4月20日 02:03:13 GMT' >>> c['name']['expires'] = '123; path=.example.invalid' 'Set-Cookie: name=value; Comment="\012円"; expires=123; path=.example.invalid' Here's the offending line: https://github.com/python/cpython/blob/b87c1c92fc93c5733cd3d8606ab2301ca6ba208f/Lib/http/cookies.py#L415 Why not quote all attribute values? |
|||
| msg315499 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2018年04月20日 03:04 | |
>>> from http.cookies import SimpleCookie >>> c = SimpleCookie() >>> c['name'] = 'value' >>> c['name']['comment'] = '\n' >>> c['name']['expires'] = '123; path=.example.invalid' 'Set-Cookie: name=value; Comment="\012円"; expires=123; path=.example.invalid' What do you think that the snippet above should return? 'Set-Cookie: name=value; Comment="\012円"; expires=2018年4月20日 02:03:13 GMT; path=.example.invalid' or 'Set-Cookie: name=value; Comment="\012円"; expires=2018年4月20日 02:03:13 GMT; path=".example.invalid"' or 'Set-Cookie: name=value; Comment="\012円"; expires=123; path=".example.invalid"' ? I don't think the path attribute (or all of them) needs to be quoted unconditionally. Looking at https://tools.ietf.org/html/rfc6265#section-4.1.1, it looks like quoting for cookie-value is optional. Is there a use case or examples from other programming languages you can share with us? |
|||
| msg315500 - (view) | Author: Alex Gaynor (alex) * (Python committer) | Date: 2018年04月20日 03:07 | |
None of the above :-) I'd expect the last one, but with quoting. You should not be able to set fields in a cookie by injection. |
|||
| msg315634 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2018年04月22日 23:48 | |
New changeset d5a2377c3d70e4143bcbee4a765b3434e21f683a by Berker Peksag in branch 'master': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/d5a2377c3d70e4143bcbee4a765b3434e21f683a |
|||
| msg315636 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2018年04月23日 00:58 | |
New changeset 9fc998d761591f2741d8e94f5b3009c56ae83882 by Berker Peksag (Miss Islington (bot)) in branch '3.7': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/9fc998d761591f2741d8e94f5b3009c56ae83882 |
|||
| msg315637 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2018年04月23日 00:58 | |
New changeset 8a6f4b4bba950fb8eead1b176c58202d773f2f70 by Berker Peksag (Miss Islington (bot)) in branch '3.6': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/8a6f4b4bba950fb8eead1b176c58202d773f2f70 |
|||
| msg316782 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2018年05月16日 08:16 | |
I've opened bpo-33535 to discuss Mark Williams' suggestion. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:56:05 | admin | set | github: 40569 |
| 2018年05月16日 08:16:42 | berker.peksag | set | status: open -> closed versions: - Python 2.7 messages: + msg316782 resolution: fixed stage: patch review -> resolved |
| 2018年04月23日 00:58:53 | berker.peksag | set | messages: + msg315637 |
| 2018年04月23日 00:58:33 | berker.peksag | set | messages: + msg315636 |
| 2018年04月22日 23:49:21 | miss-islington | set | pull_requests: + pull_request6268 |
| 2018年04月22日 23:48:27 | miss-islington | set | pull_requests: + pull_request6267 |
| 2018年04月22日 23:48:14 | berker.peksag | set | messages: + msg315634 |
| 2018年04月20日 21:29:51 | berker.peksag | set | pull_requests: + pull_request6251 |
| 2018年04月20日 03:07:18 | alex | set | messages: + msg315500 |
| 2018年04月20日 03:04:19 | berker.peksag | set | messages:
+ msg315499 versions: + Python 3.7, Python 3.8, - Python 3.4, Python 3.5 |
| 2018年04月20日 02:04:19 | Mark.Williams | set | nosy:
+ Mark.Williams messages: + msg315498 versions: + Python 3.4 |
| 2018年04月20日 00:16:17 | alex | set | nosy:
+ alex messages: + msg315496 |
| 2016年04月25日 12:04:56 | berker.peksag | set | files:
+ issue991266.diff versions: + Python 3.5, Python 3.6, - Python 3.1, Python 3.2 nosy: + berker.peksag messages: + msg264172 |
| 2014年02月03日 19:49:29 | BreamoreBoy | set | nosy:
- BreamoreBoy |
| 2010年08月19日 15:12:27 | BreamoreBoy | set | messages: + msg114367 |
| 2010年07月15日 22:17:56 | BreamoreBoy | set | versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6 |
| 2010年07月15日 22:17:00 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages: + msg110392 |
| 2009年02月18日 15:07:02 | ajaksu2 | set | nosy:
+ ajaksu2 messages: + msg82420 stage: test needed -> patch review |
| 2009年02月18日 14:40:15 | zdobersek | set | files:
+ 991266fix.patch messages: + msg82418 |
| 2009年02月14日 17:14:14 | zdobersek | set | files:
+ 991266test.patch keywords: + patch messages: + msg82094 nosy: + zdobersek |
| 2009年02月13日 21:13:09 | jjlee | set | nosy: - jjlee |
| 2009年02月13日 01:18:53 | ajaksu2 | set | nosy:
+ jjlee stage: test needed type: behavior versions: + Python 2.6, - Python 2.3 |
| 2004年07月15日 00:17:04 | zenzen | create | |