Process "evil" JSON cookies which contain double quotes

Such cookies violate RFC 2965 / 2616.

Fixes LP #563229.

doc/CHANGES.rst

@@ -11,6 +11,9 @@ http://docs.zope.org/zope2/releases/.
 Bugs Fixed
 ++++++++++
 
+- LP #563229:  Process "evil" JSON cookies which contain double quotes in
+  violation of RFC 2965 / 2616.
+
 - Document ``Products.PluginIndexes.PathIndex.PathIndex.insertEntry`` as
   an API for use by subclasses.
 

src/ZPublisher/HTTPRequest.py

@@ -1642,7 +1642,7 @@ parse_cookie_lock = allocate_lock()
 QPARMRE= re.compile(
         '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)')
 PARMRE = re.compile(
-        '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)')
+        '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)')
 PARAMLESSRE = re.compile(
         '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)')
 def parse_cookie(text,

src/ZPublisher/tests/testHTTPRequest.py

@@ -996,6 +996,20 @@ class HTTPRequestTests(unittest.TestCase):
             "HTTPRequest.resolve_url should not emit events")
 
 
+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._makeOne(environ=env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',