#22758: fix regression in handling of secure cookies.
This backports the fix from #16611, per discussion with the release manager.
This commit is contained in:
parent
035583b389
commit
5f21f43af7
|
@ -338,6 +338,8 @@ class Morsel(dict):
|
|||
"version" : "Version",
|
||||
}
|
||||
|
||||
_flags = {'secure', 'httponly'}
|
||||
|
||||
def __init__(self):
|
||||
# Set defaults
|
||||
self.key = self.value = self.coded_value = None
|
||||
|
@ -437,15 +439,18 @@ _CookiePattern = re.compile(r"""
|
|||
(?P<key> # Start of group 'key'
|
||||
[""" + _LegalKeyChars + r"""]+? # Any word of at least one letter
|
||||
) # End of group 'key'
|
||||
\s*=\s* # Equal Sign
|
||||
(?P<val> # Start of group 'val'
|
||||
"(?:[^\\"]|\\.)*" # Any doublequoted string
|
||||
| # or
|
||||
( # Optional group: there may not be a value.
|
||||
\s*=\s* # Equal Sign
|
||||
(?P<val> # Start of group 'val'
|
||||
"(?:[^\\"]|\\.)*" # Any doublequoted string
|
||||
| # or
|
||||
\w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT # Special case for "expires" attr
|
||||
| # or
|
||||
[""" + _LegalValueChars + r"""]* # Any word or empty string
|
||||
) # End of group 'val'
|
||||
\s*;? # Probably ending in a semi-colon
|
||||
| # or
|
||||
[""" + _LegalValueChars + r"""]* # Any word or empty string
|
||||
) # End of group 'val'
|
||||
)? # End of optional value group
|
||||
\s* # Any number of spaces.
|
||||
(\s+|;|$) # Ending either at space, semicolon, or EOS.
|
||||
""", re.ASCII) # May be removed if safe.
|
||||
|
||||
|
||||
|
@ -551,8 +556,12 @@ class BaseCookie(dict):
|
|||
M[key[1:]] = value
|
||||
elif key.lower() in Morsel._reserved:
|
||||
if M:
|
||||
M[key] = _unquote(value)
|
||||
else:
|
||||
if value is None:
|
||||
if key.lower() in Morsel._flags:
|
||||
M[key] = True
|
||||
else:
|
||||
M[key] = _unquote(value)
|
||||
elif value is not None:
|
||||
rval, cval = self.value_decode(value)
|
||||
self.__set(key, rval, cval)
|
||||
M = self[key]
|
||||
|
|
|
@ -114,13 +114,51 @@ class CookieTests(unittest.TestCase):
|
|||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: Customer="WILE_E_COYOTE"; Max-Age=10')
|
||||
|
||||
# others
|
||||
def test_set_secure_httponly_attrs(self):
|
||||
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
|
||||
C['Customer']['secure'] = True
|
||||
C['Customer']['httponly'] = True
|
||||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: Customer="WILE_E_COYOTE"; httponly; secure')
|
||||
|
||||
def test_secure_httponly_false_if_not_present(self):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('eggs=scrambled; Path=/bacon')
|
||||
self.assertFalse(C['eggs']['httponly'])
|
||||
self.assertFalse(C['eggs']['secure'])
|
||||
|
||||
def test_secure_httponly_true_if_present(self):
|
||||
# Issue 16611
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('eggs=scrambled; httponly; secure; Path=/bacon')
|
||||
self.assertTrue(C['eggs']['httponly'])
|
||||
self.assertTrue(C['eggs']['secure'])
|
||||
|
||||
def test_secure_httponly_true_if_have_value(self):
|
||||
# This isn't really valid, but demonstrates what the current code
|
||||
# is expected to do in this case.
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('eggs=scrambled; httponly=foo; secure=bar; Path=/bacon')
|
||||
self.assertTrue(C['eggs']['httponly'])
|
||||
self.assertTrue(C['eggs']['secure'])
|
||||
# Here is what it actually does; don't depend on this behavior. These
|
||||
# checks are testing backward compatibility for issue 16611.
|
||||
self.assertEqual(C['eggs']['httponly'], 'foo')
|
||||
self.assertEqual(C['eggs']['secure'], 'bar')
|
||||
|
||||
def test_bad_attrs(self):
|
||||
# issue 16611: make sure we don't break backward compatibility.
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('cookie=with; invalid; version; second=cookie;')
|
||||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie')
|
||||
|
||||
def test_extra_spaces(self):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('eggs = scrambled ; secure ; path = bar ; foo=foo ')
|
||||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: eggs=scrambled; Path=bar; secure\r\nSet-Cookie: foo=foo')
|
||||
|
||||
def test_quoted_meta(self):
|
||||
# Try cookie with quoted meta-data
|
||||
C = cookies.SimpleCookie()
|
||||
|
|
|
@ -28,6 +28,9 @@ Tests
|
|||
self-signed.pythontest.net. This avoids relying on svn.python.org, which
|
||||
recently changed root certificate.
|
||||
|
||||
- Issue #22758: Fix a regression that no longer allowed secure and httponly
|
||||
cookies to be parsed.
|
||||
|
||||
|
||||
What's New in Python 3.2.6?
|
||||
===========================
|
||||
|
|
Loading…
Reference in New Issue