From 5d0ca2c8323b39e392c0c0bd31340cc3e1113c97 Mon Sep 17 00:00:00 2001 From: Georg Brandl Date: Sat, 22 May 2010 11:29:19 +0000 Subject: [PATCH] Issue #3924: Ignore cookies with invalid "version" field in cookielib. --- Lib/cookielib.py | 20 +++++++++++++++----- Lib/test/test_cookielib.py | 16 +++++++++++++++- Misc/NEWS | 2 ++ 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/Lib/cookielib.py b/Lib/cookielib.py index 6b59794869a..eed45f6de88 100644 --- a/Lib/cookielib.py +++ b/Lib/cookielib.py @@ -434,6 +434,13 @@ def join_header_words(lists): if attr: headers.append("; ".join(attr)) return ", ".join(headers) +def strip_quotes(text): + if text.startswith('"'): + text = text[1:] + if text.endswith('"'): + text = text[:-1] + return text + def parse_ns_headers(ns_headers): """Ad-hoc parser for Netscape protocol cookie-attributes. @@ -451,7 +458,7 @@ def parse_ns_headers(ns_headers): """ known_attrs = ("expires", "domain", "path", "secure", # RFC 2109 attrs (may turn up in Netscape cookies, too) - "port", "max-age") + "version", "port", "max-age") result = [] for ns_header in ns_headers: @@ -471,12 +478,11 @@ def parse_ns_headers(ns_headers): k = lc if k == "version": # This is an RFC 2109 cookie. + v = strip_quotes(v) version_set = True if k == "expires": # convert expires date to seconds since epoch - if v.startswith('"'): v = v[1:] - if v.endswith('"'): v = v[:-1] - v = http2time(v) # None if invalid + v = http2time(strip_quotes(v)) # None if invalid pairs.append((k, v)) if pairs: @@ -1450,7 +1456,11 @@ class CookieJar: # set the easy defaults version = standard.get("version", None) - if version is not None: version = int(version) + if version is not None: + try: + version = int(version) + except ValueError: + return None # invalid version, ignore cookie secure = standard.get("secure", False) # (discard is also set if expires is Absent) discard = standard.get("discard", False) diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py index b75511ce476..f57e0c7279e 100644 --- a/Lib/test/test_cookielib.py +++ b/Lib/test/test_cookielib.py @@ -99,7 +99,8 @@ class DateTimeTests(TestCase): class HeaderTests(TestCase): - def test_parse_ns_headers(self): + + def test_parse_ns_headers_expires(self): from cookielib import parse_ns_headers # quotes should be stripped @@ -110,6 +111,17 @@ class HeaderTests(TestCase): ]: self.assertEquals(parse_ns_headers([hdr]), expected) + def test_parse_ns_headers_version(self): + from cookielib import parse_ns_headers + + # quotes should be stripped + expected = [[('foo', 'bar'), ('version', '1')]] + for hdr in [ + 'foo=bar; version="1"', + 'foo=bar; Version="1"', + ]: + self.assertEquals(parse_ns_headers([hdr]), expected) + def test_parse_ns_headers_special_names(self): # names such as 'expires' are not special in first name=value pair # of Set-Cookie: header @@ -1091,6 +1103,8 @@ class CookieTests(TestCase): ["Set-Cookie2: a=foo; path=/; Version=1; domain"], # bad max-age ["Set-Cookie: b=foo; max-age=oops"], + # bad version + ["Set-Cookie: b=foo; version=spam"], ]: c = cookiejar_from_cookie_headers(headers) # these bad cookies shouldn't be set diff --git a/Misc/NEWS b/Misc/NEWS index 021cac025b5..013d598db4b 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -29,6 +29,8 @@ C-API Library ------- +- Issue #3924: Ignore cookies with invalid "version" field in cookielib. + - Issue #6268: Fix seek() method of codecs.open(), don't read the BOM twice after seek(0)