Issue #3924: Ignore cookies with invalid "version" field in cookielib.

Lib/cookielib.py

@@ -434,6 +434,13 @@ def join_header_words(lists):
         if attr: headers.append("; ".join(attr))
     return ", ".join(headers)
 
+def strip_quotes(text):
+    if text.startswith('"'):
+        text = text[1:]
+    if text.endswith('"'):
+        text = text[:-1]
+    return text
+
 def parse_ns_headers(ns_headers):
     """Ad-hoc parser for Netscape protocol cookie-attributes.
 
@@ -451,7 +458,7 @@ def parse_ns_headers(ns_headers):
     """
     known_attrs = ("expires", "domain", "path", "secure",
                    # RFC 2109 attrs (may turn up in Netscape cookies, too)
-                   "port", "max-age")
+                   "version", "port", "max-age")
 
     result = []
     for ns_header in ns_headers:
@@ -471,12 +478,11 @@ def parse_ns_headers(ns_headers):
                     k = lc
                 if k == "version":
                     # This is an RFC 2109 cookie.
+                    v = strip_quotes(v)
                     version_set = True
                 if k == "expires":
                     # convert expires date to seconds since epoch
-                    if v.startswith('"'): v = v[1:]
+                    v = http2time(strip_quotes(v))  # None if invalid
-                    if v.endswith('"'): v = v[:-1]
-                    v = http2time(v)  # None if invalid
             pairs.append((k, v))
 
         if pairs:
@@ -1450,7 +1456,11 @@ class CookieJar:
 
         # set the easy defaults
         version = standard.get("version", None)
-        if version is not None: version = int(version)
+        if version is not None:
+            try:
+                version = int(version)
+            except ValueError:
+                return None  # invalid version, ignore cookie
         secure = standard.get("secure", False)
         # (discard is also set if expires is Absent)
         discard = standard.get("discard", False)

Lib/test/test_cookielib.py

@@ -99,7 +99,8 @@ class DateTimeTests(TestCase):
 
 
 class HeaderTests(TestCase):
-    def test_parse_ns_headers(self):
+
+    def test_parse_ns_headers_expires(self):
         from cookielib import parse_ns_headers
 
         # quotes should be stripped
@@ -110,6 +111,17 @@ class HeaderTests(TestCase):
             ]:
             self.assertEquals(parse_ns_headers([hdr]), expected)
 
+    def test_parse_ns_headers_version(self):
+        from cookielib import parse_ns_headers
+
+        # quotes should be stripped
+        expected = [[('foo', 'bar'), ('version', '1')]]
+        for hdr in [
+            'foo=bar; version="1"',
+            'foo=bar; Version="1"',
+            ]:
+            self.assertEquals(parse_ns_headers([hdr]), expected)
+
     def test_parse_ns_headers_special_names(self):
         # names such as 'expires' are not special in first name=value pair
         # of Set-Cookie: header
@@ -1091,6 +1103,8 @@ class CookieTests(TestCase):
             ["Set-Cookie2: a=foo; path=/; Version=1; domain"],
             # bad max-age
             ["Set-Cookie: b=foo; max-age=oops"],
+            # bad version
+            ["Set-Cookie: b=foo; version=spam"],
             ]:
             c = cookiejar_from_cookie_headers(headers)
             # these bad cookies shouldn't be set

Misc/NEWS

@@ -29,6 +29,8 @@ C-API
 Library
 -------
 
+- Issue #3924: Ignore cookies with invalid "version" field in cookielib.
+
 - Issue #6268: Fix seek() method of codecs.open(), don't read the BOM twice
   after seek(0)