[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Cheryl Sabella]

Change by Cheryl Sabella :


--
stage: patch review -> resolved
status: pending -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Martin Panter]

Change by Martin Panter :


--
resolution:  -> rejected
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Martin Panter]

Martin Panter  added the comment:

I think making a comma start a new cookie is dangerous, and perhaps this 
proposal should be rejected.

I’m not an expert on web programming, but this reminds me of some security 
problems that already affected Python: 
. In 
a web page, Java Script could set a cookie with a single name and a comma in 
the value.

document.cookie = 'a=b,csrftoken=INJECTED'

Currently, Python in the server would parse that the way the script intended:

>>> C = BaseCookie('a=b,csrftoken=INJECTED')
>>> C['a'].value
'b,csrftoken=INJECTED'
>>> C['csrftoken'].value
KeyError: 'csrftoken'

But with the proposed change, Python would be tricked into parsing it as two 
separate “morsels”:

>>> C['csrftoken'].value
'INJECTED'

--
nosy: +martin.panter
type: behavior -> enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Rémi Lapeyre]

Change by Rémi Lapeyre :


--
keywords: +patch
pull_requests: +9752
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Rémi Lapeyre]

Rémi Lapeyre  added the comment:

This is not a valid cookie string and I think neither Django nor Nginx would 
understand this cookie correctly.

On the other hand, per RFC 6265 the comma is a forbidden character in a cookie 
value (https://tools.ietf.org/html/rfc6265#section-4.1.1):

cookie-pair   = cookie-name "=" cookie-value
cookie-name   = token
cookie-value  = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet  = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
   ; US-ASCII characters excluding CTLs,
   ; whitespace DQUOTE, comma, semicolon,
   ; and backslash

so there is no official way to parse the given string (when a comma is present 
in the value, the cookie should be encoded as base 64).

Since this is not a valid cookie string anyway, I think the solution proposed 
by Kyle is appropriate.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Rémi Lapeyre]

Change by Rémi Lapeyre :


--
nosy: +remi.lapeyre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23930] http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

[Martin Panter]

Changes by Martin Panter :


--
title: SimpleCookie doesn't  parse comma-only separated cookies correctly -> 
http.cookies.SimpleCookie doesn't parse comma-only separated cookies correctly

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com