Commit Graph

31 Commits

Author SHA1 Message Date
Serhiy Storchaka 44e458357f
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
This fixes CVE-2024-7592.
2024-08-17 16:30:52 +03:00
Serhiy Storchaka a856364cc9
bpo-45229: Use doctest.DocTestSuite instead of run_doctest (GH-28468)
Alo use load_tests() for adding tests.
2021-09-20 11:36:57 +03:00
Berker Peksag d5a2377c3d
bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) 2018-04-23 02:48:11 +03:00
Alex Gaynor c87eb09d2e
bpo-29613: Added support for SameSite cookies (GH-6413)
* bpo-29613: Added support for SameSite cookies

Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07

* Documented SameSite

And suggestions by members.

* Missing space :(

* Updated News and contributors

* Added version changed details.

* Fix in documentation

* fix in documentation

* Clubbed test cases for same attribute into single.

* Updates

* Style nits + expand tests

* review feedback
2018-04-07 16:09:42 -04:00
Victor Stinner d6debb24e0 bpo-29919: Remove unused imports found by pyflakes (#137)
Make also minor PEP8 coding style fixes on modified imports.
2017-03-27 16:05:26 +02:00
Serhiy Storchaka cc283378d6 Issue #29192: Removed deprecated features in the http.cookies module. 2017-01-13 09:23:15 +02:00
Anish Shah 102d813b55 Issue #26302: Correctly identify comma as an invalid character for a cookie (correcting regression in Python 3.5). 2016-02-07 05:36:00 +05:00
Benjamin Peterson 5a69420062 merge 3.4 (#22931) 2015-05-23 10:41:30 -05:00
Benjamin Peterson c4ae86e477 merge 3.3 (#22931) 2015-05-23 10:40:47 -05:00
Benjamin Peterson d504f20e1c merge 3.2 (#22931) 2015-05-23 10:38:48 -05:00
Benjamin Peterson 9bd476ea57 allow square brackets in cookie values (closes #22931) 2015-05-23 10:36:48 -05:00
R David Murray 1813c1701f #2211: properly document the Morsel behavior changes.
Also deprecate the undocumented set argument instead of removing
it already in 3.5.

Initial patch by Demian Brecht.
2015-03-29 17:09:21 -04:00
Serhiy Storchaka 6c32585f67 Restored backward compatibility of pickling http.cookies.Morsel. It was
broken after converting instance attributes to properies in issue #2211.
2015-03-18 18:03:40 +02:00
Serhiy Storchaka 9c1a9b2657 Issue #2211: Updated the implementation of the http.cookies.Morsel class.
Setting attributes key, value and coded_value directly now is deprecated.
update() and setdefault() now transform and check keys.  Comparing for
equality now takes into account attributes key, value and coded_value.
copy() now returns a Morsel, not a dict.  repr() now contains all attributes.
Optimized checking keys and quoting values.  Added new tests.
Original patch by Demian Brecht.
2015-03-18 10:59:57 +02:00
Benjamin Peterson 5b883296f6 merge 3.4 (#22986) 2015-01-16 20:46:37 -05:00
Benjamin Peterson bd341629b0 capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes #23250)
Patch by Jon Dufresne.
2015-01-16 20:43:55 -05:00
Antoine Pitrou b1e36073cd Issue #22796: HTTP cookie parsing is now stricter, in order to protect against potential injection attacks. 2014-11-21 01:20:57 +01:00
Serhiy Storchaka 8cf7c1cff0 Issue #22775: Fixed unpickling of http.cookies.SimpleCookie with protocol 2
and above.  Patch by Tim Graham.
2014-11-02 22:18:25 +02:00
Antoine Pitrou 7d0b8f95e7 Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
2014-09-17 00:23:55 +02:00
Antoine Pitrou dad182c16e Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
2014-09-17 00:23:55 +02:00
R David Murray cd0f74b1e0 #16611: BaseCookie now parses 'secure' and 'httponly' flags.
Previously it generated them if they were given a value, but completely
ignored them if they were present in the string passed in to be parsed.  Now
if the flag appears on a cookie, the corresponding Morsel key will reference a
True value.  Other pre-existing behavior is retained in this maintenance
patch: if the source contains something like 'secure=foo', morsel['secure']
will return 'foo'.  Since such a value doesn't round trip and never did (and
would be a surprising occurrence) a subsequent non-bug-fix patch may change
this behavior.

Inspired by a patch from Julien Phalip, who reviewed this one.
2013-08-25 11:09:02 -04:00
Senthil Kumaran 0b943a18ef Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:06:51 +08:00
Senthil Kumaran 00c2ec282e Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:05:16 +08:00
Senthil Kumaran 3a441c1bed Fix Issue2193 - Allow ":" character in Cookie NAME values 2012-04-22 09:19:04 +08:00
R. David Murray e05ca2aff4 #9824: encode , and ; in cookie values so that browsers don't split on them
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies.  Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.
2010-12-28 18:54:13 +00:00
Georg Brandl b16e38b825 #8826: the "expires" attribute value is a date string with spaces, but apparently not all user-agents put it in quotes. Handle that as a special case. 2010-08-01 09:06:34 +00:00
Georg Brandl 76e155a157 #3788: more tests for http.cookies, now at 95% coverage. Also bring coding style in the module up to PEP 8, where it does not break backwards compatibility. 2010-07-31 21:04:00 +00:00
Brett Cannon d3791ed450 Fix the warnings filter usage in test_http_cookies. 2010-03-20 21:51:10 +00:00
Senthil Kumaran 3e2ea79bda Fixing the issue4860. Escaping the embedded '"' in the js_output method of Morsel class. 2009-04-02 03:02:03 +00:00
Georg Brandl 6101395e74 Remove deprecated SmartCookie and SerialCookie classes. 2008-05-28 15:56:30 +00:00
Georg Brandl 2442015af2 Create http package. #2883. 2008-05-26 16:32:26 +00:00