On Saturday 23 January 2010 01:20:55 Sean Brant wrote:
> Whats the downside of fixing this at the core cookie handling
> level? I agree with Luke and only ran across this bug when the new
> messaging framework dropped. However if we are going to fix the
> problem, and I do think it's a problem even if its a browser bug,
> should we just fix it at the core level and handle all cookies
> down the road? Would previously stored cookies that are not url
> quoted even fail when trying to unquote? Maybe I'm wrong but this
> seems pretty backwards compatible.
It's true that the vast majority of existing cookie values will be
interpreted the same whether you URL-unquote or not. i.e.
unquote_cookie(value) == value
in many cases so this isn't a big deal. But it's not *always* true,
otherwise there is no need for unquote_cookie. And every time it's
not true is a potential bug with previously stored cookies. The most
likely scenario I can think of is if a cookie is being used to store
some query string or previous URL (like a saved search), which might
then be used literally in some way (e.g. as the parameter to
HttpResponseRedirect). By URL unquoting, when we didn't before, we
would introduce a bug.
e.g.
HttpResponseRedirect("http://foo.com/?q=fr%C3%A8re";)
is not the same as
HttpResponseRedirect("http://foo.com/?q=fr\xc3\xa8re";)
(the latter throws an exception in this case).
BTW, Turbogears' solution is actually buggy for some input:
>>> assert unquote_cookie(quote_cookie("%25")) == "%25"
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AssertionError
Coming up with your own encoding is sometimes tricker than it looks.
I don't think this is a big deal because, either way, I don't think
many people are going to be affected.
BTW, further research shows that we are not really RFC 2109 compliant
at all, but then again no-one is. It seems virtually everyone (server
side and client side) is using 'Netscape style' cookies with some
things adopted from RFC 2109 and RFC 2965, including 'max-age' and the
use of quoted-string, but not the all important "Version" attribute
which turns on RFC 2109 cookies. Hardly anyone is using Set-Cookie2
from RFC 2965. So specs of any kind are fairly meaningless here, it's
a matter of what everyone does.
Luke
--
Sometimes I wonder if men and women really suit each other. Perhaps
they should live next door and just visit now and then. (Katherine
Hepburn)
Luke Plant || http://lukeplant.me.uk/
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
