Issue 991266: Cookie.py does not correctly quote Morsels (original) (raw)

Issue991266

Created on 2004-07-15 00:17 by zenzen, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
991266test.patch zdobersek,2009-02-14 17:14 Patch to test_cookie.py review
991266fix.patch zdobersek,2009-02-18 14:40 Fix - properly quote cookie's comment review
issue991266.diff berker.peksag,2016-04-25 12:04 review
Pull Requests
URL Status Linked Edit
PR 6555 merged berker.peksag,2018-04-20 21:29
PR 6570 merged miss-islington,2018-04-22 23:48
PR 6571 merged miss-islington,2018-04-22 23:49
Messages (15)
msg60528 - (view) Author: Stuart Bishop (zenzen) Date: 2004-07-15 00:17
The quoting works fine for cookie values, but doesn't kick in for attributes like Comment. >>> c = SimpleCookie() >>> c['foo'] = u'\N{COPYRIGHT SIGN}'.encode('UTF8') >>> print str(c) Set-Cookie: foo="\302\251"; >>> c['foo']['comment'] = u'\N{BIOHAZARD SIGN}'.encode('UTF8') >>> print str(c) Set-Cookie: foo="\302\251"; Comment=?; >>> str(c) 'Set-Cookie: foo="\\302\\251"; Comment=\xe2\x98\xa3;' >>>
msg82094 - (view) Author: Zan Dobersek (zdobersek) Date: 2009-02-14 17:14
This patch adds an unicode character, converted to UTF8 as a cookie's comment and then checks if it is correctly quoted.
msg82418 - (view) Author: Zan Dobersek (zdobersek) Date: 2009-02-18 14:40
This patch properly quotes cookie's comment and successfully passes test_cookie.py with applied patch.
msg82420 - (view) Author: Daniel Diniz (ajaksu2) * (Python triager) Date: 2009-02-18 15:07
Thanks, Zan! All tests pass with both patches applied. Test and fix look correct to me.
msg110392 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-07-15 22:17
Can someone please take a look at this Cookie.py two line patch.
msg114367 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-08-19 15:12
Can we have this committed please, says the patches are ok.
msg264172 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2016-04-25 12:04
Here is a patch for Python 3.
msg315496 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2018-04-20 00:16
Berker your patch looks good to me. Convert it to a PR and then merge?
msg315498 - (view) Author: Mark Williams (Mark.Williams) * Date: 2018-04-20 02:04
This patch only quotes the Comment attribute, and the rest of the code only quotes attributes if they're of the expected type. Consider Expires: >>> from http.cookies import SimpleCookie >>> c = SimpleCookie() >>> c['name'] = 'value' >>> c['name']['comment'] = '\n' >>> c['name']['expires'] = 123 >>> c.output() 'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT' >>> c['name']['expires'] = '123; path=.example.invalid' 'Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid' Here's the offending line: https://github.com/python/cpython/blob/b87c1c92fc93c5733cd3d8606ab2301ca6ba208f/Lib/http/cookies.py#L415 Why not quote all attribute values?
msg315499 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-04-20 03:04
>>> from http.cookies import SimpleCookie >>> c = SimpleCookie() >>> c['name'] = 'value' >>> c['name']['comment'] = '\n' >>> c['name']['expires'] = '123; path=.example.invalid' 'Set-Cookie: name=value; Comment="\\012"; expires=123; path=.example.invalid' What do you think that the snippet above should return? 'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT; path=.example.invalid' or 'Set-Cookie: name=value; Comment="\\012"; expires=Fri, 20 Apr 2018 02:03:13 GMT; path=".example.invalid"' or 'Set-Cookie: name=value; Comment="\\012"; expires=123; path=".example.invalid"' ? I don't think the path attribute (or all of them) needs to be quoted unconditionally. Looking at https://tools.ietf.org/html/rfc6265#section-4.1.1, it looks like quoting for cookie-value is optional. Is there a use case or examples from other programming languages you can share with us?
msg315500 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2018-04-20 03:07
None of the above :-) I'd expect the last one, but with quoting. You should not be able to set fields in a cookie by injection.
msg315634 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-04-22 23:48
New changeset d5a2377c3d70e4143bcbee4a765b3434e21f683a by Berker Peksag in branch 'master': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/d5a2377c3d70e4143bcbee4a765b3434e21f683a
msg315636 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-04-23 00:58
New changeset 9fc998d761591f2741d8e94f5b3009c56ae83882 by Berker Peksag (Miss Islington (bot)) in branch '3.7': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/9fc998d761591f2741d8e94f5b3009c56ae83882
msg315637 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-04-23 00:58
New changeset 8a6f4b4bba950fb8eead1b176c58202d773f2f70 by Berker Peksag (Miss Islington (bot)) in branch '3.6': bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) https://github.com/python/cpython/commit/8a6f4b4bba950fb8eead1b176c58202d773f2f70
msg316782 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-05-16 08:16
I've opened bpo-33535 to discuss Mark Williams' suggestion.
History
Date User Action Args
2022-04-11 14:56:05 admin set github: 40569
2018-05-16 08:16:42 berker.peksag set status: open -> closedversions: - Python 2.7messages: + resolution: fixedstage: patch review -> resolved
2018-04-23 00:58:53 berker.peksag set messages: +
2018-04-23 00:58:33 berker.peksag set messages: +
2018-04-22 23:49:21 miss-islington set pull_requests: + <pull%5Frequest6268>
2018-04-22 23:48:27 miss-islington set pull_requests: + <pull%5Frequest6267>
2018-04-22 23:48:14 berker.peksag set messages: +
2018-04-20 21:29:51 berker.peksag set pull_requests: + <pull%5Frequest6251>
2018-04-20 03:07:18 alex set messages: +
2018-04-20 03:04:19 berker.peksag set messages: + versions: + Python 3.7, Python 3.8, - Python 3.4, Python 3.5
2018-04-20 02:04:19 Mark.Williams set nosy: + Mark.Williamsmessages: + versions: + Python 3.4
2018-04-20 00:16:17 alex set nosy: + alexmessages: +
2016-04-25 12:04:56 berker.peksag set files: + issue991266.diffversions: + Python 3.5, Python 3.6, - Python 3.1, Python 3.2nosy: + berker.peksagmessages: +
2014-02-03 19:49:29 BreamoreBoy set nosy: - BreamoreBoy
2010-08-19 15:12:27 BreamoreBoy set messages: +
2010-07-15 22:17:56 BreamoreBoy set versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6
2010-07-15 22:17:00 BreamoreBoy set nosy: + BreamoreBoymessages: +
2009-02-18 15:07:02 ajaksu2 set nosy: + ajaksu2messages: + stage: test needed -> patch review
2009-02-18 14:40:15 zdobersek set files: + 991266fix.patchmessages: +
2009-02-14 17:14:14 zdobersek set files: + 991266test.patchkeywords: + patchmessages: + nosy: + zdobersek
2009-02-13 21:13:09 jjlee set nosy: - jjlee
2009-02-13 01🔞53 ajaksu2 set nosy: + jjleestage: test neededtype: behaviorversions: + Python 2.6, - Python 2.3
2004-07-15 00:17:04 zenzen create