[issue1375011] http.cookies, Cookie.py: Improper handling of duplicate cookies
Christoph Zwerschke
report at bugs.python.org
Thu Jan 21 10:12:28 EST 2021
Christoph Zwerschke <cito at online.de> added the comment:
This patch should really be included.
As carl already mentioned, the relevant spec is RFC 6265, see section 5.4.2: "The user agent SHOULD sort the cookie-list in the following order: Cookies with longer paths are listed before cookies with shorter paths. Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times."
Currently, if the cookies are loaded with cookies.load(env['HTTP_COOKIE']) as most web frameworks do, then the cookies will be populated with the least specific or oldest values if there are duplicates. This is really bad.
----------
nosy: +cito
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue1375011>
_______________________________________
More information about the Python-bugs-list
mailing list