diff options
| -rw-r--r-- | Lib/http/cookies.py | 7 | ||||
| -rw-r--r-- | Lib/test/test_http_cookies.py | 13 | ||||
| -rw-r--r-- | Misc/NEWS | 2 |
3 files changed, 19 insertions, 3 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index 3e1abd7..482e601 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -428,12 +428,13 @@ class Morsel(dict): # result, the parsing rules here are less strict. # -_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" +_LegalKeyChars = r"\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=" +_LegalValueChars = _LegalKeyChars + '\[\]' _CookiePattern = re.compile(r""" (?x) # This is a verbose pattern \s* # Optional whitespace at start of cookie (?P<key> # Start of group 'key' - """ + _LegalCharsPatt + r"""+? # Any word of at least one letter + [""" + _LegalKeyChars + r"""]+? # Any word of at least one letter ) # End of group 'key' ( # Optional group: there may not be a value. \s*=\s* # Equal Sign @@ -442,7 +443,7 @@ _CookiePattern = re.compile(r""" | # or \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT # Special case for "expires" attr | # or - """ + _LegalCharsPatt + r"""* # Any word or empty string + [""" + _LegalValueChars + r"""]* # Any word or empty string ) # End of group 'val' )? # End of optional value group \s* # Any number of spaces. diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index e984252..c7b680b 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -43,6 +43,19 @@ class CookieTests(unittest.TestCase): 'repr': "<SimpleCookie: key:term='value:term'>", 'output': 'Set-Cookie: key:term=value:term'}, + # issue22931 - Adding '[' and ']' as valid characters in cookie + # values as defined in RFC 6265 + { + 'data': 'a=b; c=[; d=r; f=h', + 'dict': {'a':'b', 'c':'[', 'd':'r', 'f':'h'}, + 'repr': "<SimpleCookie: a='b' c='[' d='r' f='h'>", + 'output': '\n'.join(( + 'Set-Cookie: a=b', + 'Set-Cookie: c=[', + 'Set-Cookie: d=r', + 'Set-Cookie: f=h' + )) + } ] for case in cases: @@ -80,6 +80,8 @@ Library - Issue #23796: peek and read1 methods of BufferedReader now raise ValueError if they called on a closed object. Patch by John Hergenroeder. +- Issue #22931: Allow '[' and ']' in cookie values. + - Issue #24094: Fix possible crash in json.encode with poorly behaved dict subclasses. |