From cd0f74b1e09a50acc073aa57c1345968257a9056 Mon Sep 17 00:00:00 2001 From: R David Murray Date: Sun, 25 Aug 2013 11:09:02 -0400 Subject: #16611: BaseCookie now parses 'secure' and 'httponly' flags. Previously it generated them if they were given a value, but completely ignored them if they were present in the string passed in to be parsed. Now if the flag appears on a cookie, the corresponding Morsel key will reference a True value. Other pre-existing behavior is retained in this maintenance patch: if the source contains something like 'secure=foo', morsel['secure'] will return 'foo'. Since such a value doesn't round trip and never did (and would be a surprising occurrence) a subsequent non-bug-fix patch may change this behavior. Inspired by a patch from Julien Phalip, who reviewed this one. --- Lib/http/cookies.py | 29 +++++++++++++++++++---------- Lib/test/test_http_cookies.py | 40 +++++++++++++++++++++++++++++++++++++++- Misc/NEWS | 3 +++ 3 files changed, 61 insertions(+), 11 deletions(-) diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index d291678..dc3c74a 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -338,6 +338,8 @@ class Morsel(dict): "version" : "Version", } + _flags = {'secure', 'httponly'} + def __init__(self): # Set defaults self.key = self.value = self.coded_value = None @@ -435,15 +437,18 @@ _CookiePattern = re.compile(r""" (?P # Start of group 'key' """ + _LegalCharsPatt + r"""+? # Any word of at least one letter ) # End of group 'key' - \s*=\s* # Equal Sign - (?P # Start of group 'val' - "(?:[^\\"]|\\.)*" # Any doublequoted string - | # or + ( # Optional group: there may not be a value. + \s*=\s* # Equal Sign + (?P # Start of group 'val' + "(?:[^\\"]|\\.)*" # Any doublequoted string + | # or \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT # Special case for "expires" attr - | # or - """ + _LegalCharsPatt + r"""* # Any word or empty string - ) # End of group 'val' - \s*;? # Probably ending in a semi-colon + | # or + """ + _LegalCharsPatt + r"""* # Any word or empty string + ) # End of group 'val' + )? # End of optional value group + \s* # Any number of spaces. + (\s+|;|$) # Ending either at space, semicolon, or EOS. """, re.ASCII) # May be removed if safe. @@ -549,8 +554,12 @@ class BaseCookie(dict): M[key[1:]] = value elif key.lower() in Morsel._reserved: if M: - M[key] = _unquote(value) - else: + if value is None: + if key.lower() in Morsel._flags: + M[key] = True + else: + M[key] = _unquote(value) + elif value is not None: rval, cval = self.value_decode(value) self.__set(key, rval, cval) M = self[key] diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index e8327e5..1cfbe74 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -109,13 +109,51 @@ class CookieTests(unittest.TestCase): self.assertEqual(C.output(), 'Set-Cookie: Customer="WILE_E_COYOTE"; Max-Age=10') - # others + def test_set_secure_httponly_attrs(self): C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"') C['Customer']['secure'] = True C['Customer']['httponly'] = True self.assertEqual(C.output(), 'Set-Cookie: Customer="WILE_E_COYOTE"; httponly; secure') + def test_secure_httponly_false_if_not_present(self): + C = cookies.SimpleCookie() + C.load('eggs=scrambled; Path=/bacon') + self.assertFalse(C['eggs']['httponly']) + self.assertFalse(C['eggs']['secure']) + + def test_secure_httponly_true_if_present(self): + # Issue 16611 + C = cookies.SimpleCookie() + C.load('eggs=scrambled; httponly; secure; Path=/bacon') + self.assertTrue(C['eggs']['httponly']) + self.assertTrue(C['eggs']['secure']) + + def test_secure_httponly_true_if_have_value(self): + # This isn't really valid, but demonstrates what the current code + # is expected to do in this case. + C = cookies.SimpleCookie() + C.load('eggs=scrambled; httponly=foo; secure=bar; Path=/bacon') + self.assertTrue(C['eggs']['httponly']) + self.assertTrue(C['eggs']['secure']) + # Here is what it actually does; don't depend on this behavior. These + # checks are testing backward compatibility for issue 16611. + self.assertEqual(C['eggs']['httponly'], 'foo') + self.assertEqual(C['eggs']['secure'], 'bar') + + def test_bad_attrs(self): + # issue 16611: make sure we don't break backward compatibility. + C = cookies.SimpleCookie() + C.load('cookie=with; invalid; version; second=cookie;') + self.assertEqual(C.output(), + 'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie') + + def test_extra_spaces(self): + C = cookies.SimpleCookie() + C.load('eggs = scrambled ; secure ; path = bar ; foo=foo ') + self.assertEqual(C.output(), + 'Set-Cookie: eggs=scrambled; Path=bar; secure\r\nSet-Cookie: foo=foo') + def test_quoted_meta(self): # Try cookie with quoted meta-data C = cookies.SimpleCookie() diff --git a/Misc/NEWS b/Misc/NEWS index 35cba80..848332c 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -66,6 +66,9 @@ Core and Builtins Library ------- +- Issue #16611: http.cookie now correctly parses the 'secure' and 'httponly' + cookie flags. + - Issue #11973: Fix a problem in kevent. The flags and fflags fields are now properly handled as unsigned. -- cgit v0.12