Issue 26570: comma-separated cookies with expires header do not parse properly (original) (raw)

This is a peculiar regression in 3.5 where a comma-separated cookie following an expires field is considered invalid:

Ex: which results in a silent error/empty cookie in 3.5.1

Python 3.5.1 (default, Dec 26 2015, 18:11:22) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin Type "help", "copyright", "credits" or "license" for more information.

from http.cookies import SimpleCookie SimpleCookie('A=B; expires=Thu, 01-Jan-1970 00:00:00 GMT, C=D') <SimpleCookie: >

compared to 3.4.2 and 2.7.9

Python 3.4.2 (default, Jan 29 2015, 06:45:30) [GCC 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40)] on darwin Type "help", "copyright", "credits" or "license" for more information.

from http.cookies import SimpleCookie SimpleCookie('A=B; expires=Thu, 01-Jan-1970 00:00:00 GMT, C=D') <SimpleCookie: A='B' C='D'>

Python 2.7.9 (default, Jan 29 2015, 06:28:46) [GCC 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40)] on darwin Type "help", "copyright", "credits" or "license" for more information.

from Cookie import SimpleCookie SimpleCookie('A=B; expires=Thu, 01-Jan-1970 00:00:00 GMT, C=D') <SimpleCookie: A='B' C='D'>

This seems to specifically happen when the expires field is the last field in the cookie. eg, this works as expected:

SimpleCookie('A=B; expires=Thu, 01-Jan-1970 00:00:00 GMT; Path=/, C=D') <SimpleCookie: A='B' C='D'>

I'm not sure if this is related to the other comma-related cookie bugs, such as as this does not appear to use the same regex at first glance. I have not had a chance to track it down it further.

This is not a regression and you can see that if you do

print(SimpleCookie('A=B; expires=Thu, 01-Jan-1970 00:00:00 GMT, C=D'))

The values of expires and Path attribute were parsed incorrectly, even though you got two cookies. The problem as far as I can see is a non-standard separator between attributes that you're trying to use, i.e. a comma. If you were to use a semi-colon (or a space) there would not be a problem in any of the versions.