[issue19869] BaseCookie does not complain if a non RFC compliant cookie header was given

[Martin Panter]

Martin Panter added the comment:

Due to the change in Issue 22796, a key without a value (“httponly,” in the 
example) now causes the parsing operation to be silently aborted. Perhaps we 
can close this?

--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19869] BaseCookie does not complain if a non RFC compliant cookie header was given

[R. David Murray]

R. David Murray added the comment:

RFCs and cookies don't have much to do with each other in real life.

The 'httponly' flag bug was fixed in issue 16611.

For backward compatibility reasons we can't start raising errors where we 
didn't raise them before, so if anything is going to be done it will have to be 
a bit more complicated, and a be a new feature.

--
nosy: +r.david.murray

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19869
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19869] BaseCookie does not complain if a non RFC compliant cookie header was given

[Florian Pilz]

New submission from Florian Pilz:

BaseCookie should give an informative error, if a non RFC compliant header was 
given. The problem was, that we thought several cookies are allowed in one 
header in a cookie *response* header. However, this is only allowed in cookie 
*request* headers.

In those cases the output of BaseCookie looks broken, which caused a lot of 
confusion, since a standard library should not have so many flaws.

Example with parsing a response header with several cookies separated by comma 
(not allowed by RFC):

http.cookies.BaseCookie('foo=bar, oof=rab; httponly, bar=baz').output()
'Set-Cookie: bar=baz\r\nSet-Cookie: foo=bar,\r\nSet-Cookie: oof=rab'

Flaws:

* comma after 'foo=bar' in output
* the httponly flag was omitted (it would show up with a semi-colon after it, 
i.e. 'oof=rab; httponly;')
* input and output style are different, i.e. several cookies in one line were 
transformed to several cookies in several lines

I think the best solution is to fail early and hard, if there are several 
cookies in one header. Maybe some problems should be fixed anyway (trailing 
comma, different output style).

--
components: Library (Lib)
messages: 205077
nosy: florianpilz
priority: normal
severity: normal
status: open
title: BaseCookie does not complain if a non RFC compliant cookie header was 
given
type: behavior
versions: Python 3.3, Python 3.4, Python 3.5

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19869
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com