[Patches] [ python-Patches-1157027 ] cookielib mis-handles RFC 2109 cookies in Netscape mode

SourceForge.net noreply at sourceforge.net
Sat Mar 5 00:09:42 CET 2005 

Patches item #1157027, was opened at 2005-03-04 23:09
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1157027&group_id=5470

Category: Library (Lib)
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: John J Lee (jjlee)
Assigned to: Nobody/Anonymous (nobody)
Summary: cookielib mis-handles RFC 2109 cookies in Netscape mode

Initial Comment:
cookielib treats RFC 2109 cookies as RFC 2965 even when
functioning as a pure Netscape protocol implementation
(ie. when RFC 2965 handling is disabled by setting a
CookiePolicy instance's rfc2965 attribute false).  This
is not correct: the Netscape cookie protocol, in the
absence of RFC 2965 (yes, BTW: RFC 2965 and its
unfinished errata say that RFC 2965 and Netscape
handling are supposed to interact with each other, in
complicated and ill-defined ways), treats RFC 2109
cookies as Netscape cookies.

Background:  The Netscape protocol is an ad-hoc
standard defined by the MSIE and Mozilla browser
implementations.  A Netscape cookie is one set in the
Set-Cookie header with no version cookie-attribute.  An
RFC 2109 cookie is a one set in the Set-Cookie header
with a version cookie-attribute of 1.  An RFC 2965
cookie is a one set in the Set-Cookie2 (note the '2')
header with a version cookie-attribute of 1.  Popular
browsers treat RFC 2109 cookies as Netscape cookies
(which, ad-hoc as Netscape cookies are, effectively
include a few bits and pieces from the 2109 standard).

The bug breaks apps like Mailman that (naively or
stubbornly) send RFC 2109 cookies.

The patch treats RFC 2109 cookies as Netscape cookies
if RFC 2965 handling is turned off.  (It also removes
two no-op lines of code at around line 1304).  Test and
doc patches are included.  2.4 backport candidate.

(The bug was uncovered by the switch, in the patch
originally accepted to Python stdlib, to RFC 2965
handling being off by default.  Earlier versions of
ClientCookie had RFC 2965 off by default.)


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1157027&group_id=5470

More information about the Patches mailing list