[New-bugs-announce] [issue9824] SimpleCookie should escape commas and semi-colons
Luke Plant
report at bugs.python.org
Fri Sep 10 18:50:10 CEST 2010
New submission from Luke Plant <L.Plant.98 at cantab.net>:
In developing Django, we found that some browsers don't treat commas and semi-colons in cookie values (i.e. the Set-Cookie header) the way that RFC 2109 says they should. (Safari splits the header on a comma followed by space, Internet Explorer splits on semi-colons - both irrespective of any 'quoting').
The result is that if you use SimpleCookie to create Set-Cookie headers, where the cookie value contains a comma or semi-colon, you can get all kinds of breakage.
In the end, we realised that the RFCs are kind of irrelevant, and we have to look at what browsers actually do. So, it would be much more useful if semi-colons and commas were escaped the way that other characters are by SimpleCookie.
Our discussion/findings are here:
http://code.djangoproject.com/ticket/12470#comment:4
http://groups.google.com/group/django-developers/msg/2cb729938e8e67ca
The patch to Cookie.py (Python 2.X) or http/cookies.py (Python 3.X) is simple and follows. I'm assuming that this applies to Python 3.2 and 3.3, but I haven't checked.
----------
components: Library (Lib)
files: simplecookie_fix.diff
keywords: patch
messages: 116030
nosy: spookylukey
priority: normal
severity: normal
status: open
title: SimpleCookie should escape commas and semi-colons
type: behavior
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
Added file: http://bugs.python.org/file18833/simplecookie_fix.diff
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9824>
_______________________________________
More information about the New-bugs-announce
mailing list