bpo-23930: Add support to parse comma-separated cookies by remilapeyre · Pull Request #10494 · python/cpython (original) (raw)

Some user-agents do not respect RFC 6265 and sends comma-separated
cookies like "a=b,z=zz" when it should be "a=b; z=zz". Until now,
cookies.SimpleCookie would parse this as a unique cookie "a" with value
"b,z=zz".

A comma in the cookie value is explicitly prohibited by RFC 6265 (https://tools.ietf.org/html/rfc6265#section-4.1.1).
If a comma happens to be in the value, it should have been base 64
encoded:

cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

When this happens since the cookie string is invalid and no comma should
be present, a better default is to consider it a separator and to parse
the string as two cookies "a=b" and "z=zz".

https://bugs.python.org/issue23930