Merged revisions 87550 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/branches/py3k ........ r87550 | r.david.murray | 2010-12-28 13:54:13 -0500 (Tue, 28 Dec 2010) | 8 lines #9824: encode , and ; in cookie values so that browsers don't split on them There is a small chance of backward incompatibility here, but only for non-SimpleCookie applications reading SimpleCookie generated cookies. Even then, any such ap is likely to be handling escaped values already, and it would take a fairly perverse implementation of unescaping to fail to unescape these newly escaped chars, so the risk seems minimal. ........
2010-12-28 18:56:33 +00:00 · 2010-12-28 18:56:33 +00:00 · daa7ba038b
parent 6c85838489
commit daa7ba038b
3 changed files with 16 additions and 0 deletions
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@ -178,6 +178,11 @@ _Translator       = {
    '\033' : '\\033',  '\034' : '\\034',  '\035' : '\\035',
    '\036' : '\\036',  '\037' : '\\037',

+    # Because of the way browsers really handle cookies (as opposed
+    # to what the RFC says) we also encode , and ;
+
+    ',' : '\\054', ';' : '\\073',
+
    '"' : '\\"',       '\\' : '\\\\',

    '\177' : '\\177',  '\200' : '\\200',  '\201' : '\\201',
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@ -65,6 +65,14 @@ class CookieTests(unittest.TestCase):
        </script>
        """)

+    def test_extended_encode(self):
+        # Issue 9824: some browsers don't follow the standard; we now
+        # encode , and ; to keep them from tripping up.
+        C = cookies.SimpleCookie()
+        C['val'] = "some,funky;stuff"
+        self.assertEqual(C.output(['val']),
+            'Set-Cookie: val="some\\054funky\\073stuff"')
+
    def test_special_attrs(self):
        # 'expires'
        C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -24,6 +24,9 @@ Core and Builtins
 Library
 -------

+- Issue 9824: SimpleCookie now encodes , and ; in values to cater to how
+  browsers actually parse cookies.
+
 - Issue #5258/#10642: if site.py encounters a .pth file that generates an error,
  it now prints the filename, line number, and traceback to stderr and skips
  the rest of that individual file, instead of stopping processing entirely.