cpython: d22fadc18d01 (original) (raw)

Mercurial > cpython

changeset 102301:d22fadc18d01 3.2

#22758: fix regression in handling of secure cookies. This backports the fix from #16611, per discussion with the release manager. [#22758]

R David Murray rdmurray@bitdance.com
date	Sun, 10 Jul 2016 13:32:43 -0400
parents	b2036b717028
children	1c07bd735282 a0bf31e50da5
files	Lib/http/cookies.py Lib/test/test_http_cookies.py Misc/NEWS
diffstat	3 files changed, 61 insertions(+), 11 deletions(-)[+] [-] Lib/http/cookies.py 29 Lib/test/test_http_cookies.py 40 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -338,6 +338,8 @@ class Morsel(dict): "version" : "Version", }

_flags = {'secure', 'httponly'}

+ def init(self): # Set defaults self.key = self.value = self.coded_value = None @@ -437,15 +439,18 @@ class Morsel(dict): (?P # Start of group 'key' [""" + _LegalKeyChars + r"""]+? # Any word of at least one letter ) # End of group 'key'

\s*=\s* # Equal Sign
(?P # Start of group 'val'
"(?:[^\"]|\.)*" # Any doublequoted string
| # or

( # Optional group: there may not be a value.
\s*=\s* # Equal Sign
(?P # Start of group 'val'
"(?:[^\"]|\.)*" # Any doublequoted string
| # or \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT # Special case for "expires" attr

| # or
[""" + _LegalValueChars + r"""]* # Any word or empty string
) # End of group 'val'
\s*;? # Probably ending in a semi-colon

| # or
[""" + _LegalValueChars + r"""]* # Any word or empty string
) # End of group 'val'
)? # End of optional value group
\s* # Any number of spaces.
(\s+|;|$) # Ending either at space, semicolon, or EOS. """, re.ASCII) # May be removed if safe. @@ -551,8 +556,12 @@ class BaseCookie(dict): M[key[1:]] = value elif key.lower() in Morsel._reserved: if M:

               M[key] = _unquote(value)[](#l1.43)

```
       else:[](#l1.44)
```

               if value is None:[](#l1.45)

                   if key.lower() in Morsel._flags:[](#l1.46)

                       M[key] = True[](#l1.47)

```
               else:[](#l1.48)
```

                   M[key] = _unquote(value)[](#l1.49)

       elif value is not None:[](#l1.50)
           rval, cval = self.value_decode(value)[](#l1.51)
           self.__set(key, rval, cval)[](#l1.52)
           M = self[key][](#l1.53)

--- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -114,13 +114,51 @@ class CookieTests(unittest.TestCase): self.assertEqual(C.output(), 'Set-Cookie: Customer="WILE_E_COYOTE"; Max-Age=10')

```
   # others[](#l2.7)
```

def test_set_secure_httponly_attrs(self): C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"') C['Customer']['secure'] = True C['Customer']['httponly'] = True self.assertEqual(C.output(), 'Set-Cookie: Customer="WILE_E_COYOTE"; httponly; secure')

def test_secure_httponly_false_if_not_present(self):
```
   C = cookies.SimpleCookie()[](#l2.16)
```

   C.load('eggs=scrambled; Path=/bacon')[](#l2.17)

   self.assertFalse(C['eggs']['httponly'])[](#l2.18)

   self.assertFalse(C['eggs']['secure'])[](#l2.19)

def test_secure_httponly_true_if_present(self):
```
   # Issue 16611[](#l2.22)
```
```
   C = cookies.SimpleCookie()[](#l2.23)
```

   C.load('eggs=scrambled; httponly; secure; Path=/bacon')[](#l2.24)

   self.assertTrue(C['eggs']['httponly'])[](#l2.25)

   self.assertTrue(C['eggs']['secure'])[](#l2.26)

def test_secure_httponly_true_if_have_value(self):

   # This isn't really valid, but demonstrates what the current code[](#l2.29)

   # is expected to do in this case.[](#l2.30)

```
   C = cookies.SimpleCookie()[](#l2.31)
```

   C.load('eggs=scrambled; httponly=foo; secure=bar; Path=/bacon')[](#l2.32)

   self.assertTrue(C['eggs']['httponly'])[](#l2.33)

   self.assertTrue(C['eggs']['secure'])[](#l2.34)

   # Here is what it actually does; don't depend on this behavior.  These[](#l2.35)

   # checks are testing backward compatibility for issue 16611.[](#l2.36)

   self.assertEqual(C['eggs']['httponly'], 'foo')[](#l2.37)

   self.assertEqual(C['eggs']['secure'], 'bar')[](#l2.38)

def test_bad_attrs(self):

   # issue 16611: make sure we don't break backward compatibility.[](#l2.41)

```
   C = cookies.SimpleCookie()[](#l2.42)
```

   C.load('cookie=with; invalid; version; second=cookie;')[](#l2.43)

   self.assertEqual(C.output(),[](#l2.44)

       'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie')[](#l2.45)

def test_extra_spaces(self):
```
   C = cookies.SimpleCookie()[](#l2.48)
```

   C.load('eggs  =  scrambled  ;  secure  ;  path  =  bar   ; foo=foo   ')[](#l2.49)

   self.assertEqual(C.output(),[](#l2.50)

       'Set-Cookie: eggs=scrambled; Path=bar; secure\r\nSet-Cookie: foo=foo')[](#l2.51)

+ def test_quoted_meta(self): # Try cookie with quoted meta-data C = cookies.SimpleCookie()

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -28,6 +28,9 @@ Tests self-signed.pythontest.net. This avoids relying on svn.python.org, which recently changed root certificate. +- Issue #22758: Fix a regression that no longer allowed secure and httponly

cookies to be parsed. + What's New in Python 3.2.6? ===========================