[issue33017] Special set-cookie setting will bypass Cookielib

Thu, 25 Apr 2019 03:34:38 -0700 

Martin Panter <[email protected]> added the comment:

I think LCatro is saying that Python should accept the cookies and discard only 
the offending attributes. This makes sense to me and tends to agree with the 
specifications, but the three cases seem all seem unimportant to me.

PoC 1, Max-age:

>>> from urllib2 import Request
>>> from test.test_cookielib import FakeResponse
>>> cookies = CookieJar(DefaultCookiePolicy())
>>> request = Request('http://127.0.0.1/requests_test.php')
>>> cookies.extract_cookies(FakeResponse(()), request)  # Issue 12144
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; max-age=a',)), 
>>> request)  # No cookies returned
[]

RFC 6265 says Max-age should be ignored if not does not start with a digit or 
minus sign: <https://tools.ietf.org/html/rfc6265#section-5.2.2>. Netscape did 
not specify Max-age at all. So I agree that the cookie should be retained.

PoC 2, Domain: You have to omit the equals sign to satisfy “v is None” and 
discard the cookie record, otherwise “v” is just an empty string '':

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain=;',)), 
>>> request)  # v == ''
[Cookie(version=0, name='test', value='123', port=None, port_specified=False, 
domain='.', domain_specified=True, domain_initial_dot=False, path='/', 
path_specified=False, secure=False, expires=None, discard=True, comment=None, 
comment_url=None, rest={}, rfc2109=False)]
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain;',)), 
>>> request)  # v is None
[]

RFC 6265 says both these cases should be treated the same, and recommends 
ignoring Domain in these cases.

PoC 3, Version:

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; version=a;',)), 
>>> request)  # No cookies returned
[]

The Version attribute is only specified by RFC 2109. Since the IETF has 
obsoleted it, I suggest to deprecate RFC 2109 support in the Python module. 
That way, if a real problem is demonstrated, we can remove the parts that are 
causing the problem.

----------
nosy: +martin.panter
priority: normal -> low

_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue33017>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to