| msg116030 - (view) |
Author: Luke Plant (spookylukey) |
Date: 2010-09-10 16:50 |
| In developing Django, we found that some browsers don't treat commas and semi-colons in cookie values (i.e. the Set-Cookie header) the way that RFC 2109 says they should. (Safari splits the header on a comma followed by space, Internet Explorer splits on semi-colons - both irrespective of any 'quoting'). The result is that if you use SimpleCookie to create Set-Cookie headers, where the cookie value contains a comma or semi-colon, you can get all kinds of breakage. In the end, we realised that the RFCs are kind of irrelevant, and we have to look at what browsers actually do. So, it would be much more useful if semi-colons and commas were escaped the way that other characters are by SimpleCookie. Our discussion/findings are here: http://code.djangoproject.com/ticket/12470#comment:4 http://groups.google.com/group/django-developers/msg/2cb729938e8e67ca The patch to Cookie.py (Python 2.X) or http/cookies.py (Python 3.X) is simple and follows. I'm assuming that this applies to Python 3.2 and 3.3, but I haven't checked. |
|
|
| msg116031 - (view) |
Author: Luke Plant (spookylukey) |
Date: 2010-09-10 17:08 |
| I forgot to mention backwards compatibility: In the context of Cookie being used in a web application, if developers were relying on literal commas and semi-colons being present in the client side cookie value (e.g. in javascript), the patch will introduce an incompatibility. A quick review of cookies on my computer shows that 22 out of 3079 have commas in them, and none have semi-colons in them. For those with commas, there would still only be a problem if they were reading them client side, or not using Python's Cookie library to decode the values server side. |
|
|
| msg116121 - (view) |
Author: Georg Brandl (georg.brandl) *  |
Date: 2010-09-11 21:20 |
| I will have a look at this, it looks like it could at least use a few tests. |
|
|
| msg116142 - (view) |
Author: Éric Araujo (eric.araujo) * |
Date: 2010-09-12 00:59 |
| Thanks for forwarding this upstream. A tip about Python versions: Bugs are fixed on the active branch, py3k (which will become 3.2), then backported to 3.1 and 2.7. Security fixes go into 2.5 and 2.6 too. 3.3 means that something won’t make it to 3.2 and is delayed. |
|
|
| msg124175 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2010-12-17 02:51 |
| Here's a patch against py3k with test. If I'm understanding the issue correctly, this looks like a pretty safe change. |
|
|
| msg124775 - (view) |
Author: Georg Brandl (georg.brandl) * |
Date: 2010-12-28 09:45 |
| Looks good. |
|
|
| msg124814 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2010-12-28 19:11 |
| Committed to py3k in r87550. Since the only application that would trip up would be one not using SimpleCookie to read SimpleCookie generated cookies *and* that doesn't implement unescaping (in which case it wasn't really handling SimpleCookie cookies, was it?), I went ahead and backported it to 3.1 in r87551 and 2.7 in r87552. |
|
|