summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Doc/library/http.cookies.rst63
-rw-r--r--Lib/http/cookies.py161
-rw-r--r--Lib/test/test_http_cookies.py1
-rw-r--r--Misc/NEWS3
4 files changed, 16 insertions, 212 deletions
diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst
index 8c90c5e..533e963 100644
--- a/Doc/library/http.cookies.rst
+++ b/Doc/library/http.cookies.rst
@@ -39,36 +39,6 @@ result, the parsing rules used are a bit less strict.
and :meth:`value_encode` to be the identity and :func:`str` respectively.
-.. class:: SerialCookie([input])
-
- This class derives from :class:`BaseCookie` and overrides :meth:`value_decode`
- and :meth:`value_encode` to be the :func:`pickle.loads` and
- :func:`pickle.dumps`.
-
- .. deprecated:: 2.3
- Reading pickled values from untrusted cookie data is a huge security hole, as
- pickle strings can be crafted to cause arbitrary code to execute on your server.
- It is supported for backwards compatibility only, and may eventually go away.
-
-
-.. class:: SmartCookie([input])
-
- This class derives from :class:`BaseCookie`. It overrides :meth:`value_decode`
- to be :func:`pickle.loads` if it is a valid pickle, and otherwise the value
- itself. It overrides :meth:`value_encode` to be :func:`pickle.dumps` unless it
- is a string, in which case it returns the value itself.
-
- .. deprecated:: 2.3
- The same security warning from :class:`SerialCookie` applies here.
-
-A further security note is warranted. For backwards compatibility, the
-:mod:`http.cookies` module exports a class named :class:`Cookie` which is just an
-alias for :class:`SmartCookie`. This is probably a mistake and will likely be
-removed in a future version. You should not use the :class:`Cookie` class in
-your applications, for the same reason why you should not use the
-:class:`SerialCookie` class.
-
-
.. seealso::
Module :mod:`http.cookiejar`
@@ -212,8 +182,6 @@ The following example demonstrates how to use the :mod:`http.cookies` module.
>>> from http import cookies
>>> C = cookies.SimpleCookie()
- >>> C = cookies.SerialCookie()
- >>> C = cookies.SmartCookie()
>>> C["fig"] = "newton"
>>> C["sugar"] = "wafer"
>>> print(C) # generate HTTP headers
@@ -222,28 +190,28 @@ The following example demonstrates how to use the :mod:`http.cookies` module.
>>> print(C.output()) # same thing
Set-Cookie: fig=newton
Set-Cookie: sugar=wafer
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["rocky"] = "road"
>>> C["rocky"]["path"] = "/cookie"
>>> print(C.output(header="Cookie:"))
Cookie: rocky=road; Path=/cookie
>>> print(C.output(attrs=[], header="Cookie:"))
Cookie: rocky=road
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger") # load from a string (HTTP header)
>>> print(C)
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
>>> print(C)
Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["oreo"] = "doublestuff"
>>> C["oreo"]["path"] = "/"
>>> print(C)
Set-Cookie: oreo=doublestuff; Path=/
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["twix"] = "none for you"
>>> C["twix"].value
'none for you'
@@ -257,24 +225,3 @@ The following example demonstrates how to use the :mod:`http.cookies` module.
>>> print(C)
Set-Cookie: number=7
Set-Cookie: string=seven
- >>> C = cookies.SerialCookie()
- >>> C["number"] = 7
- >>> C["string"] = "seven"
- >>> C["number"].value
- 7
- >>> C["string"].value
- 'seven'
- >>> print(C)
- Set-Cookie: number="I7\012."
- Set-Cookie: string="S'seven'\012p1\012."
- >>> C = cookies.SmartCookie()
- >>> C["number"] = 7
- >>> C["string"] = "seven"
- >>> C["number"].value
- 7
- >>> C["string"].value
- 'seven'
- >>> print(C)
- Set-Cookie: number="I7\012."
- Set-Cookie: string=seven
-
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 5078d33..344bede 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -50,23 +50,14 @@ Importing is easy..
>>> from http import cookies
-Most of the time you start by creating a cookie. Cookies come in
-three flavors, each with slightly different encoding semantics, but
-more on that later.
+Most of the time you start by creating a cookie.
>>> C = cookies.SimpleCookie()
- >>> C = cookies.SerialCookie()
- >>> C = cookies.SmartCookie()
-
-[Note: Long-time users of cookies.py will remember using
-cookies.Cookie() to create an Cookie object. Although deprecated, it
-is still supported by the code. See the Backward Compatibility notes
-for more information.]
Once you've created your Cookie, you can add values just as if it were
a dictionary.
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["fig"] = "newton"
>>> C["sugar"] = "wafer"
>>> C.output()
@@ -77,7 +68,7 @@ appropriate format for a Set-Cookie: header. This is the
default behavior. You can change the header and printed
attributes by using the .output() function
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["rocky"] = "road"
>>> C["rocky"]["path"] = "/cookie"
>>> print(C.output(header="Cookie:"))
@@ -89,7 +80,7 @@ The load() method of a Cookie extracts cookies from a string. In a
CGI script, you would use this method to extract the cookies from the
HTTP_COOKIE environment variable.
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger")
>>> C.output()
'Set-Cookie: chips=ahoy\r\nSet-Cookie: vienna=finger'
@@ -98,7 +89,7 @@ The load() method is darn-tootin smart about identifying cookies
within a string. Escaped quotation marks, nested semicolons, and other
such trickeries do not confuse it.
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
>>> print(C)
Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
@@ -107,7 +98,7 @@ Each element of the Cookie also supports all of the RFC 2109
Cookie attributes. Here's an example which sets the Path
attribute.
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["oreo"] = "doublestuff"
>>> C["oreo"]["path"] = "/"
>>> print(C)
@@ -116,21 +107,11 @@ attribute.
Each dictionary element has a 'value' attribute, which gives you
back the value associated with the key.
- >>> C = cookies.SmartCookie()
+ >>> C = cookies.SimpleCookie()
>>> C["twix"] = "none for you"
>>> C["twix"].value
'none for you'
-
-A Bit More Advanced
--------------------
-
-As mentioned before, there are three different flavors of Cookie
-objects, each with different encoding/decoding semantics. This
-section briefly discusses the differences.
-
-SimpleCookie
-
The SimpleCookie expects that all values should be standard strings.
Just to be sure, SimpleCookie invokes the str() builtin to convert
the value to a string, when the values are set dictionary-style.
@@ -145,62 +126,6 @@ the value to a string, when the values are set dictionary-style.
>>> C.output()
'Set-Cookie: number=7\r\nSet-Cookie: string=seven'
-
-SerialCookie
-
-The SerialCookie expects that all values should be serialized using
-pickle. As a result of serializing, SerialCookie can save almost any
-Python object to a value, and recover the exact same object when the
-cookie has been returned. (SerialCookie can yield some
-strange-looking cookie values, however.)
-
- >>> C = cookies.SerialCookie()
- >>> C["number"] = 7
- >>> C["string"] = "seven"
- >>> C["number"].value
- 7
- >>> C["string"].value
- 'seven'
- >>> C.output()
- 'Set-Cookie: number="L7\\012."\r\nSet-Cookie: string="Vseven\\012p0\\012."'
-
-Be warned, however, if SerialCookie cannot de-serialize a value (because
-it isn't a valid pickle'd object), IT WILL RAISE AN EXCEPTION.
-
-
-SmartCookie
-
-The SmartCookie combines aspects of each of the other two flavors.
-When setting a value in a dictionary-fashion, the SmartCookie will
-serialize (ala pickle) the value *if and only if* it isn't a
-Python string. String objects are *not* serialized. Similarly,
-when the load() method parses out values, it attempts to de-serialize
-the value. If it fails, then it fallsback to treating the value
-as a string.
-
- >>> C = cookies.SmartCookie()
- >>> C["number"] = 7
- >>> C["string"] = "seven"
- >>> C["number"].value
- 7
- >>> C["string"].value
- 'seven'
- >>> C.output()
- 'Set-Cookie: number="L7\\012."\r\nSet-Cookie: string=seven'
-
-
-Backwards Compatibility
------------------------
-
-In order to keep compatibilty with earlier versions of Cookie.py,
-it is still possible to use cookies.Cookie() to create a Cookie. In
-fact, this simply returns a SmartCookie.
-
- >>> C = cookies.Cookie()
- >>> print(C.__class__.__name__)
- SmartCookie
-
-
Finis.
""" #"
# ^
@@ -215,8 +140,7 @@ from pickle import dumps, loads
import re, warnings
-__all__ = ["CookieError","BaseCookie","SimpleCookie","SerialCookie",
- "SmartCookie","Cookie"]
+__all__ = ["CookieError", "BaseCookie", "SimpleCookie"]
_nulljoin = ''.join
_semispacejoin = '; '.join
@@ -653,70 +577,6 @@ class SimpleCookie(BaseCookie):
return strval, _quote( strval )
# end SimpleCookie
-class SerialCookie(BaseCookie):
- """SerialCookie
- SerialCookie supports arbitrary objects as cookie values. All
- values are serialized (using pickle) before being sent to the
- client. All incoming values are assumed to be valid Pickle
- representations. IF AN INCOMING VALUE IS NOT IN A VALID PICKLE
- FORMAT, THEN AN EXCEPTION WILL BE RAISED.
-
- Note: Large cookie values add overhead because they must be
- retransmitted on every HTTP transaction.
-
- Note: HTTP has a 2k limit on the size of a cookie. This class
- does not check for this limit, so be careful!!!
- """
- def __init__(self, input=None):
- warnings.warn("SerialCookie class is insecure; do not use it",
- DeprecationWarning)
- BaseCookie.__init__(self, input)
- # end __init__
- def value_decode(self, val):
- # This could raise an exception!
- return loads( _unquote(val).encode('latin-1') ), val
- def value_encode(self, val):
- return val, _quote( dumps(val, 0).decode('latin-1') )
-# end SerialCookie
-
-class SmartCookie(BaseCookie):
- """SmartCookie
- SmartCookie supports arbitrary objects as cookie values. If the
- object is a string, then it is quoted. If the object is not a
- string, however, then SmartCookie will use pickle to serialize
- the object into a string representation.
-
- Note: Large cookie values add overhead because they must be
- retransmitted on every HTTP transaction.
-
- Note: HTTP has a 2k limit on the size of a cookie. This class
- does not check for this limit, so be careful!!!
- """
- def __init__(self, input=None):
- warnings.warn("Cookie/SmartCookie class is insecure; do not use it",
- DeprecationWarning)
- BaseCookie.__init__(self, input)
- # end __init__
- def value_decode(self, val):
- strval = _unquote(val)
- try:
- return loads(strval.encode('latin-1')), val
- except:
- return strval, val
- def value_encode(self, val):
- if isinstance(val, str):
- return val, _quote(val)
- else:
- return val, _quote( dumps(val, 0).decode('latin-1') )
-# end SmartCookie
-
-
-###########################################################
-# Backwards Compatibility: Don't break any existing code!
-
-# We provide Cookie() as an alias for SmartCookie()
-Cookie = SmartCookie
-
#
###########################################################
@@ -726,8 +586,3 @@ def _test():
if __name__ == "__main__":
_test()
-
-
-#Local Variables:
-#tab-width: 4
-#end:
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index a336c82..01017e1 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -10,7 +10,6 @@ warnings.filterwarnings("ignore",
DeprecationWarning)
class CookieTests(unittest.TestCase):
- # Currently this only tests SimpleCookie
def test_basic(self):
cases = [
{ 'data': 'chips=ahoy; vienna=finger',
diff --git a/Misc/NEWS b/Misc/NEWS
index b4f7fdd..0c38389 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -60,6 +60,9 @@ Extension Modules
Library
-------
+- The deprecated ``SmartCookie`` and ``SimpleCookie`` classes have
+ been removed from ``http.cookies``.
+
- The ``commands`` module has been removed. Its getoutput() and
getstatusoutput() functions have been moved to the ``subprocess`` module.