subject:"\[issue31456\] SimpleCookie fails to parse any cookie if an entry has whitespace in the name"

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2019-11-28 Thread Joel Rosdahl



Change by Joel Rosdahl :


--
nosy: +Joel Rosdahl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2019-01-28 Thread Rémi Lapeyre


Rémi Lapeyre  added the comment:

It may be relevant: Ruby accept whitespaces in the name of the morsel:

➜  ~ irb
irb(main):002:0> require "cgi"
=> true
irb(main):003:0> CGI::Cookie::parse "ASDF=stuff; ASDF space=more stuff"
=> {"ASDF"=>##https://bugs.python.org/issue31456>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2019-01-28 Thread Rémi Lapeyre


Change by Rémi Lapeyre :


--
nosy: +remi.lapeyre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2019-01-26 Thread Martin Panter


Martin Panter  added the comment:

The main cause of this behaviour is that whitespace (matching the ASCII RE 
“\s”) is treated as separation between cookie “morsels”. It looks like this has 
always been the behaviour, but I’m not sure it was intended.

>>> print(BaseCookie('first=morsel second=morsel'))
Set-Cookie: first=morsel
Set-Cookie: second=morsel

This could be a security problem, if an attacker managed to inject a CSRF token 
as the second “morsel”. This was mentioned in 
.

IMO it would be better to not split off a second morsel. Either keep it as one 
long morsel value with spaces in, or skip over it to the next semicolon (;).

The reason why the whole cookie string is lost is due to the behaviour of 
cookie morsels without equals signs:

>>> BaseCookie('cookie=lost; ignore').items()
dict_items([])

IMO it would be better to skip over these to the next semicolon as well. It 
looks like this is a regression in Python 3.5+ caused by Issue 22796.

--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2017-10-10 Thread Adam Davis


Adam Davis  added the comment:

Quietly throw out the one bad value, sure. You lose all cookies in your cookie 
string in this scenario. 

I'd expect "ASDF=stuff; ASDF space=more stuff" to at least kick out the values 
that are legal.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2017-10-10 Thread Brad Smith


Brad Smith  added the comment:

According to RFC-6265 (which also references RFC-2616 to define "tokens"), the 
space character (and whitespace in general) is not valid in cookie-names or 
cookie-values.

RFC-6265: https://tools.ietf.org/html/rfc6265#section-4.1.1
RFC-2616: https://tools.ietf.org/html/rfc2616#section-2.2

I think it's reasonable for Python to quietly throw away malformed NAME=VALUE 
pairs since web browsers are likely doing the same.

--
nosy: +infinitewarp

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

2017-09-13 Thread Adam Davis


New submission from Adam Davis:

```>>> from http.cookies import SimpleCookie
>>> cookie_string = "ASDF=stuff; ASDF space=more stuff"
>>> cookie = SimpleCookie()
>>> cookie.load(cookie_string)
>>> cookie.items()
dict_items([])
>>> cookie_string = "ASDF=stuff"
>>> cookie.load(cookie_string)
>>> cookie.items()
dict_items([('ASDF', )])```

cookie.load should throw an error, or at least parse the cookies it can parse.

--
components: Library (Lib)
messages: 302105
nosy: Adam Davis
priority: normal
severity: normal
status: open
title: SimpleCookie fails to parse any cookie if an entry has whitespace in the 
name
type: behavior
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

[issue31456] SimpleCookie fails to parse any cookie if an entry has whitespace in the name

7 matches

Site Navigation

Mail list logo

Footer information