summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorR. David Murray <rdmurray@bitdance.com>2010-12-28 18:54:13 (GMT)
committerR. David Murray <rdmurray@bitdance.com>2010-12-28 18:54:13 (GMT)
commite05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12 (patch)
tree5acbe67bba3c5dd2f939c9a45179207f8e903ff2
parent8aa7e999b5ab87cdbefe441649c223647875c110 (diff)
downloadcpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.zip
cpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.tar.gz
cpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.tar.bz2
#9824: encode , and ; in cookie values so that browsers don't split on them
There is a small chance of backward incompatibility here, but only for non-SimpleCookie applications reading SimpleCookie generated cookies. Even then, any such ap is likely to be handling escaped values already, and it would take a fairly perverse implementation of unescaping to fail to unescape these newly escaped chars, so the risk seems minimal.
-rw-r--r--Lib/http/cookies.py5
-rw-r--r--Lib/test/test_http_cookies.py8
-rw-r--r--Misc/NEWS3
3 files changed, 16 insertions, 0 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index fb9589c..93da627 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -173,6 +173,11 @@ _Translator = {
'\033' : '\\033', '\034' : '\\034', '\035' : '\\035',
'\036' : '\\036', '\037' : '\\037',
+ # Because of the way browsers really handle cookies (as opposed
+ # to what the RFC says) we also encode , and ;
+
+ ',' : '\\054', ';' : '\\073',
+
'"' : '\\"', '\\' : '\\\\',
'\177' : '\\177', '\200' : '\\200', '\201' : '\\201',
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index b008e0f..f9a98c4 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -69,6 +69,14 @@ class CookieTests(unittest.TestCase):
</script>
""")
+ def test_extended_encode(self):
+ # Issue 9824: some browsers don't follow the standard; we now
+ # encode , and ; to keep them from tripping up.
+ C = cookies.SimpleCookie()
+ C['val'] = "some,funky;stuff"
+ self.assertEqual(C.output(['val']),
+ 'Set-Cookie: val="some\\054funky\\073stuff"')
+
def test_special_attrs(self):
# 'expires'
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
diff --git a/Misc/NEWS b/Misc/NEWS
index f69abcf..8eec18e 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -20,6 +20,9 @@ Core and Builtins
Library
-------
+- Issue 9824: SimpleCookie now encodes , and ; in values to cater to how
+ browsers actually parse cookies.
+
- Issue 9333: os.symlink now available regardless of user privileges.
The function now raises OSError on Windows >=6.0 when the user is unable
to create symbolic links. XP and 2003 still raise NotImplementedError.