This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: cookielib mis-handles RFC 2109 cookies in Netscape mode
Type: Stage:
Components: Library (Lib) Versions: Python 2.5
process
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: nnorwitz Nosy List: jjlee, nnorwitz
Priority: normal Keywords: patch

Created on 2005-03-04 23:09 by jjlee, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
rfc2109-2.patch jjlee, 2005-12-05 22:28
Messages (4)
msg47879 - (view) Author: John J Lee (jjlee) Date: 2005-03-04 23:09
cookielib treats RFC 2109 cookies as RFC 2965 even when
functioning as a pure Netscape protocol implementation
(ie. when RFC 2965 handling is disabled by setting a
CookiePolicy instance's rfc2965 attribute false).  This
is not correct: the Netscape cookie protocol, in the
absence of RFC 2965 (yes, BTW: RFC 2965 and its
unfinished errata say that RFC 2965 and Netscape
handling are supposed to interact with each other, in
complicated and ill-defined ways), treats RFC 2109
cookies as Netscape cookies.

Background:  The Netscape protocol is an ad-hoc
standard defined by the MSIE and Mozilla browser
implementations.  A Netscape cookie is one set in the
Set-Cookie header with no version cookie-attribute.  An
RFC 2109 cookie is a one set in the Set-Cookie header
with a version cookie-attribute of 1.  An RFC 2965
cookie is a one set in the Set-Cookie2 (note the '2')
header with a version cookie-attribute of 1.  Popular
browsers treat RFC 2109 cookies as Netscape cookies
(which, ad-hoc as Netscape cookies are, effectively
include a few bits and pieces from the 2109 standard).

The bug breaks apps like Mailman that (naively or
stubbornly) send RFC 2109 cookies.

The patch treats RFC 2109 cookies as Netscape cookies
if RFC 2965 handling is turned off.  (It also removes
two no-op lines of code at around line 1304).  Test and
doc patches are included.  2.4 backport candidate.

(The bug was uncovered by the switch, in the patch
originally accepted to Python stdlib, to RFC 2965
handling being off by default.  Earlier versions of
ClientCookie had RFC 2965 off by default.)
msg47880 - (view) Author: John J Lee (jjlee) Date: 2005-03-04 23:11
Logged In: YES 
user_id=261020

> (...Earlier versions of ClientCookie had RFC 2965 off by
default.)

I meant to say:

> (...Earlier versions of ClientCookie had RFC 2965 on by
default.)
msg47881 - (view) Author: John J Lee (jjlee) Date: 2005-12-05 22:28
Logged In: YES 
user_id=261020

Since this didn't get applied in 2.4.1 or 2.4.2, I have
uploaded a new patch for 2.5, and deleted the original patch
attached to this tracker item.  Tests and documentation
changes are included in the patch.

In addition to fixing the bug described in the original
patch comment, this patch (rfc2109-2.patch) adds two new
attributes (hence should not be back-ported):

1. Cookie instances have an rfc2109 attribute.

This attribute is true if the cookie was received as an RFC
2109 cookie (ie. the cookie arrived in a
\mailheader{Set-Cookie} header, and the value of the Version
cookie-attribute in that header was 1).

2. DefaultCookiePolicy instances have an rfc2109_as_netscape
attribute.

Assigning to this attribute allows explicit control over
whether RFC 2109 cookies are 'downgraded' to Netscape cookies.
msg47882 - (view) Author: Neal Norwitz (nnorwitz) * (Python committer) Date: 2005-12-23 21:45
Logged In: YES 
user_id=33168

Since there were API changes, I did not backport this to 2.4

Committed revision 41802.
History
Date User Action Args
2022-04-11 14:56:10adminsetgithub: 41654
2005-03-04 23:09:41jjleecreate