Issue #26302: Correctly identify comma as an invalid character for a cookie (correcting regression in Python 3.5).

3 files changed, 10 insertions, 1 deletions

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index fda02b7..dbddd6c 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -174,7 +174,7 @@ _Translator.update({
     ord('\\'): '\\\\',
 })
 
-_is_legal_key = re.compile('[%s]+' % _LegalChars).fullmatch
+_is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
 
 def _quote(str):
     r"""Quote a string for use in a cookie header.
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index d3e06a4..2432e0b 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -210,6 +210,12 @@ class CookieTests(unittest.TestCase):
                 C1 = pickle.loads(pickle.dumps(C, protocol=proto))
                 self.assertEqual(C1.output(), expected_output)
 
+    def test_illegal_chars(self):
+        rawdata = "a=b; c,d=e"
+        C = cookies.SimpleCookie()
+        with self.assertRaises(cookies.CookieError):
+            C.load(rawdata)
+
 
 class MorselTests(unittest.TestCase):
     """Tests for the Morsel object."""
diff --git a/Misc/NEWS b/Misc/NEWS
index fd4ca59..a0ccaef 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: tba
 Core and Builtins
 -----------------
 
+- Issue #26302: Correct behavior to reject comma as a legal character for
+  cookie names.
+
 - Issue #4806: Avoid masking the original TypeError exception when using star
   (*) unpacking in function calls.  Based on patch by Hagen Fürstenau and
   Daniel Urban.