New submission from Christopher Foo: Something like "Set-Cookie: ; Expires=Thu, 01 Jan 1970 00:00:10 GMT" causes the resulting cookie.value to be parsed as an int.
I expected either str or None as described in the documentation. Example evil server: try: import http.server as http_server except ImportError: import BaseHTTPServer as http_server class MyHandler(http_server.BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header('Set-Cookie', '; Expires=Thu, 01 Jan 1970 00:00:10 GMT') self.send_header('Set-Cookie', 'good=123.45600') self.end_headers() def main(): server = http_server.HTTPServer(('127.0.0.1', 8000), MyHandler) server.serve_forever() if __name__ == '__main__': main() Example innocent client: try: import http.cookiejar as http_cookiejar except ImportError: import cookielib as http_cookiejar try: import urllib.request as urllib_request except ImportError: import urllib2 as urllib_request def main(): cj = http_cookiejar.CookieJar() opener = urllib_request.build_opener(urllib_request.HTTPCookieProcessor(cj)) r = opener.open("http://127.0.0.1:8000/") print(cj._cookies) if __name__ == '__main__': main() The resulting output is: {'127.0.0.1': {'/': {'expires': Cookie(version=0, name='expires', value=10.0, port=None, port_specified=False, domain='127.0.0.1', domain_specified=False, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False), 'good': Cookie(version=0, name='good', value='123.45600', port=None, port_specified=False, domain='127.0.0.1', domain_specified=False, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)}}} It gives two cookies where the first one contains name='expires', value=10.0 which is unexpected. I expected that either the bad cookie is discarded or it is accepted but the value is always a str (even if it is garbage) or None. This bug was found in my custom cookie policy where I do len(cookie.value or ''). There is also a reference on StackOverflow but I believe no Python library bug report was filed: http://stackoverflow.com/q/20325571/1524507 . This was tested on Python 2.7.8, 3.2.6, 3.3.6, and 3.4.2. ---------- components: Library (Lib) messages: 233227 nosy: chfoo priority: normal severity: normal status: open title: cookiejar parses cookie value as int with empty name-value pair and Expires type: behavior versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23138> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com