New submission from Christopher Foo:
Something like "Set-Cookie: ; Expires=Thu, 01 Jan 1970 00:00:10 GMT" causes the
resulting cookie.value to be parsed as an int.
I expected either str or None as described in the documentation.
Example evil server:
try:
import http.server as http_server
except ImportError:
import BaseHTTPServer as http_server
class MyHandler(http_server.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Set-Cookie', '; Expires=Thu, 01 Jan 1970 00:00:10
GMT')
self.send_header('Set-Cookie', 'good=123.45600')
self.end_headers()
def main():
server = http_server.HTTPServer(('127.0.0.1', 8000), MyHandler)
server.serve_forever()
if __name__ == '__main__':
main()
Example innocent client:
try:
import http.cookiejar as http_cookiejar
except ImportError:
import cookielib as http_cookiejar
try:
import urllib.request as urllib_request
except ImportError:
import urllib2 as urllib_request
def main():
cj = http_cookiejar.CookieJar()
opener =
urllib_request.build_opener(urllib_request.HTTPCookieProcessor(cj))
r = opener.open("http://127.0.0.1:8000/";)
print(cj._cookies)
if __name__ == '__main__':
main()
The resulting output is:
{'127.0.0.1': {'/': {'expires': Cookie(version=0, name='expires', value=10.0,
port=None, port_specified=False, domain='127.0.0.1', domain_specified=False,
domain_initial_dot=False, path='/', path_specified=False, secure=False,
expires=None, discard=True, comment=None, comment_url=None, rest={},
rfc2109=False), 'good': Cookie(version=0, name='good', value='123.45600',
port=None, port_specified=False, domain='127.0.0.1', domain_specified=False,
domain_initial_dot=False, path='/', path_specified=False, secure=False,
expires=None, discard=True, comment=None, comment_url=None, rest={},
rfc2109=False)}}}
It gives two cookies where the first one contains name='expires', value=10.0
which is unexpected. I expected that either the bad cookie is discarded or it
is accepted but the value is always a str (even if it is garbage) or None.
This bug was found in my custom cookie policy where I do len(cookie.value or
''). There is also a reference on StackOverflow but I believe no Python library
bug report was filed: http://stackoverflow.com/q/20325571/1524507 .
This was tested on Python 2.7.8, 3.2.6, 3.3.6, and 3.4.2.
----------
components: Library (Lib)
messages: 233227
nosy: chfoo
priority: normal
severity: normal
status: open
title: cookiejar parses cookie value as int with empty name-value pair and
Expires
type: behavior
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue23138>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
