Disputing Cookie.py's definition of valid characters
Joshua Kugler
joshua at joshuakugler.com
Thu Dec 11 21:47:06 EST 2008
Some investigation today revealed that Cookie.py thinks these are valid
characters for names and values of cookies:
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
The rest, presumably being encoded via %NN.
I notice that (), {}, and others made the list, but not [].
Is there a reason for that? I didn't find a list of valid characters
anywhere in the cookie RFC (disclaimer: I didn't read the HTTP 1.1 RFC).
The reason this got brought up:
I'm parsing some cookies that have been set by a PHP app (out of my control,
no flames please) and it has cookies of the form name[0], name [1], and so
on which get transformed to arrays on the server side such that:
$_COOKIES['name']
Will be a list with values from name[0], name[1].
Well, when these are parsed by Cookie.py, they simply vanish because it
doesn't like the [ and ] in the cookie names. But these are set
successfully and the browser side, and are sent back to the server
successfully.
Since this is a CherryPy app, it's not as easy as just subclassing the
cookie class I want. I suppose I could sub class and then monkey patch
CherryPy, but that feels nasty. Hmm...local copy of Cookie.py that comes
before /usr/lib/python2.5 in the site path would work too.
Thoughts? Is this a bug in Cookie.py, or is PHP out of spec to send cookies
with [ and ] in the name?
j
More information about the Python-list
mailing list