#33212: Incorrect cookie parsing by django.http.cookie.parse_cookie
---------------------------------------------+-------------------------
Reporter: Christos Georgiou | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: 3.2
Severity: Normal | Keywords: cookies
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
---------------------------------------------+-------------------------
I understand that the Python http.cookie has issues with invalid cookies
that are anyway used in the wild. An example of such a cookie is (you'll
probably see a cookie with raw JSON as value if you happen to use HotJar):
{{{
valid_cookie=12; invalid_cookie={"k1": "v1", "k2": "v2"};
valid_cookie2="other value"
}}}
Python's parsing will only parse `valid_cookie`, while Django's
django.http.cookie.parse_cookie will parse all of them.
However, this imaginary cookie is incorrectly parsed:
{{{
django_cookie=good_value; third_party="some_cookie=some_value;
django_cookie=bad_value"
}}}
{{{
>>> from django.http.cookie import parse_cookie
>>> parse_cookie('''django_cookie=good_value;
third_party="some_cookie=some_value; django_cookie=bad_value"''')
{'django_cookie': 'bad_value"', 'third_party': '"some_cookie=some_value'}
}}}
One would expect `django_cookie` to have `good_value`.
If you consider this as grave enough, I can supply a patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/33212>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.0a31edd0b9268d6221c63764c3cb5d81%40djangoproject.com.
