Issue1375011
Created on 2005-12-07 03:50 by valankar, last changed 2021-01-21 15:12 by cito.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| Cookie.py.patch | valankar, 2005-12-07 03:50 | Patch for revision 41632 of Cookie.py | review | |
| issue1375011-2.7.patch | mmelin, 2013-02-23 16:45 | Patch, test & docs for Cookie.py on 2.7 | review | |
| issue1375011-3.2.patch | mmelin, 2013-02-23 16:45 | Patch, test & docs for http/cookies.py on 3.2 | review | |
| Messages (8) | |||
|---|---|---|---|
| msg49178 - (view) | Author: Viraj Alankar (valankar) | Date: 2005-12-07 03:50 | |
This patch implements part of bug 1372650. Sometimes a web client will send 2 instances of the same name: Cookie: mycookie=foo; mycookie=bar The specs listed here: http://wp.netscape.com/newsref/std/cookie_spec.html state that the first one is the one that should be used. The other cookies listed are the inherited ones from paths that a prefix of the current URL. When this is parsed by the Cookie module, mycookie gets set to bar when it should be foo. This patch changes Cookie.py to only use the first instance of duplicate cookies when parsing cookie strings. |
|||
| msg49179 - (view) | Author: Björn Lindqvist (sonderblade) | Date: 2007-03-14 23:54 | |
That link is misleading and just confuses you. :) Instead read John J. Lee's great explanation at the referenced bug report. I have tested the patch and it works as expected. Without the patch:
>>> c = SimpleCookie('foo=33;foo=34')
>>> print c
Set-Cookie: foo=34
With the patch:
>>> c = SimpleCookie('foo=33;foo=34')
>>> print c
Set-Cookie: foo=33
There should be a unit test though and something in the documentation. The keys dict should be a set instead.
|
|||
| msg86297 - (view) | Author: Daniel Diniz (ajaksu2)  |
Date: 2009-04-22 14:42 | |
See discussion in issue 1372650. |
|||
| msg114634 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2010-08-22 01:33 | |
Even if the patch is still valid there are still no doc or unit test changes. |
|||
| msg182758 - (view) | Author: Martin Melin (mmelin) * | Date: 2013-02-23 16:45 | |
Attached is a patch with Viraj's original fix except using a set instead of a dict as suggested by Björn. This patch also includes a test case and a note in the docs about this behavior. Since Cookie has been moved and the code has been cleaned up somewhat between 2.7 and 3.2 I'm attaching patches for both branches. Of course, a decision still needs to be made whether or not this should be applied; the behavior is more correct now, but I don't know if it is worth potentially breaking applications that have come to expect the old behavior. There doesn't seem to be a consensus in #1372650 but I thought having a complete patch would be a good thing regardless. |
|||
| msg182759 - (view) | Author: Martin Melin (mmelin) * | Date: 2013-02-23 16:45 | |
Just adding the 3.2 patch |
|||
| msg353845 - (view) | Author: karl (karlcow) * | Date: 2019-10-03 12:52 | |
Relevant spec https://tools.ietf.org/html/rfc6265 |
|||
| msg385430 - (view) | Author: Christoph Zwerschke (cito) * | Date: 2021-01-21 15:12 | |
This patch should really be included. As carl already mentioned, the relevant spec is RFC 6265, see section 5.4.2: "The user agent SHOULD sort the cookie-list in the following order: Cookies with longer paths are listed before cookies with shorter paths. Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times." Currently, if the cookies are loaded with cookies.load(env['HTTP_COOKIE']) as most web frameworks do, then the cookies will be populated with the least specific or oldest values if there are duplicates. This is really bad. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2021-01-21 15:12:28 | cito | set | nosy:
+ cito messages: + msg385430 |
| 2020-11-06 20:00:24 | iritkatriel | set | versions: + Python 3.8, Python 3.9, Python 3.10, - Python 3.1, Python 2.7, Python 3.2 |
| 2019-10-03 12:52:29 | karlcow | set | nosy:
+ karlcow messages: + msg353845 |
| 2016-08-22 12:31:03 | martin.panter | set | title: Improper handling of duplicate cookies -> http.cookies, Cookie.py: Improper handling of duplicate cookies |
| 2016-04-25 12:01:01 | berker.peksag | link | issue7504 superseder |
| 2014-02-03 18:40:14 | BreamoreBoy | set | nosy:
- BreamoreBoy |
| 2013-02-23 16:45:57 | mmelin | set | files:
+ issue1375011-3.2.patch messages: + msg182759 |
| 2013-02-23 16:45:05 | mmelin | set | files:
+ issue1375011-2.7.patch nosy: + mmelin messages: + msg182758 |
| 2010-08-30 16:53:05 | BreamoreBoy | link | issue1372650 superseder |
| 2010-08-30 16:53:05 | BreamoreBoy | unlink | issue1372650 dependencies |
| 2010-08-22 01:33:46 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages:
+ msg114634 |
| 2009-04-22 14:42:51 | ajaksu2 | set | keywords:
+ easy nosy: + ajaksu2 messages: + msg86297 |
| 2009-02-16 03:57:53 | ajaksu2 | link | issue1372650 dependencies |
| 2009-02-13 01:16:33 | ajaksu2 | set | nosy:
+ jjlee stage: test needed type: behavior versions: + Python 2.6, - Python 2.5 |
| 2005-12-07 03:50:53 | valankar | create | |