#16611: BaseCookie now parses 'secure' and 'httponly' flags.

Previously it generated them if they were given a value, but completely
ignored them if they were present in the string passed in to be parsed.  Now
if the flag appears on a cookie, the corresponding Morsel key will reference a
True value.  Other pre-existing behavior is retained in this maintenance
patch: if the source contains something like 'secure=foo', morsel['secure']
will return 'foo'.  Since such a value doesn't round trip and never did (and
would be a surprising occurrence) a subsequent non-bug-fix patch may change
this behavior.

Inspired by a patch from Julien Phalip, who reviewed this one.

1 files changed, 19 insertions, 10 deletions

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index d291678..dc3c74a 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -338,6 +338,8 @@ class Morsel(dict):
         "version"  : "Version",
     }
 
+    _flags = {'secure', 'httponly'}
+
     def __init__(self):
         # Set defaults
         self.key = self.value = self.coded_value = None
@@ -435,15 +437,18 @@ _CookiePattern = re.compile(r"""
     (?P<key>                       # Start of group 'key'
     """ + _LegalCharsPatt + r"""+?   # Any word of at least one letter
     )                              # End of group 'key'
-    \s*=\s*                        # Equal Sign
-    (?P<val>                       # Start of group 'val'
-    "(?:[^\\"]|\\.)*"                # Any doublequoted string
-    |                                # or
+    (                              # Optional group: there may not be a value.
+    \s*=\s*                          # Equal Sign
+    (?P<val>                         # Start of group 'val'
+    "(?:[^\\"]|\\.)*"                  # Any doublequoted string
+    |                                  # or
     \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT  # Special case for "expires" attr
-    |                                # or
-    """ + _LegalCharsPatt + r"""*    # Any word or empty string
-    )                              # End of group 'val'
-    \s*;?                          # Probably ending in a semi-colon
+    |                                  # or
+    """ + _LegalCharsPatt + r"""*      # Any word or empty string
+    )                                # End of group 'val'
+    )?                             # End of optional value group
+    \s*                            # Any number of spaces.
+    (\s+|;|$)                      # Ending either at space, semicolon, or EOS.
     """, re.ASCII)                 # May be removed if safe.
 
 
@@ -549,8 +554,12 @@ class BaseCookie(dict):
                     M[key[1:]] = value
             elif key.lower() in Morsel._reserved:
                 if M:
-                    M[key] = _unquote(value)
-            else:
+                    if value is None:
+                        if key.lower() in Morsel._flags:
+                            M[key] = True
+                    else:
+                        M[key] = _unquote(value)
+            elif value is not None:
                 rval, cval = self.value_decode(value)
                 self.__set(key, rval, cval)
                 M = self[key]