#22758: fix regression in handling of secure cookies.

This backports the fix from #16611, per discussion with the release manager.

#22758: fix regression in handling of secure cookies.
This backports the fix from #16611, per discussion with the release manager.
1bcd54bd · R David Murray · dd6958f8 · 1bcd54bd · 1bcd54bd · 1bcd54bd
Commit 1bcd54bd authored Jul 10, 2016 by R David Murray
Hide whitespace changes
Inline Side-by-side

Showing with 61 additions and 11 deletions

Lib/http/cookies.py Lib/http/cookies.py +19 -10

Lib/test/test_http_cookies.py Lib/test/test_http_cookies.py +39 -1

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -338,6 +338,8 @@ class Morsel(dict):
        "version"  : "Version",
    }
+    _flags = {'secure', 'httponly'}
    def __init__(self):
        # Set defaults
        self.key = self.value = self.coded_value = None
@@ -437,15 +439,18 @@ _CookiePattern = re.compile(r"""
    (?P<key>                       # Start of group 'key'
    [""" + _LegalKeyChars + r"""]+?   # Any word of at least one letter
    )                              # End of group 'key'
-    \s*=\s*                        # Equal Sign
+    (                              # Optional group: there may not be a value.
-    (?P<val>                       # Start of group 'val'
+    \s*=\s*                          # Equal Sign
-    "(?:[^\\"]|\\.)*"                # Any doublequoted string
+    (?P<val>                         # Start of group 'val'
-    |                                # or
+    "(?:[^\\"]|\\.)*"                  # Any doublequoted string
+    |                                  # or
    \w{3},\s[\w\d\s-]{9,11}\s[\d:]{8}\sGMT  # Special case for "expires" attr
-    |                                # or
+    |                                  # or
-    [""" + _LegalValueChars + r"""]*    # Any word or empty string
+    [""" + _LegalValueChars + r"""]*   # Any word or empty string
-    )                              # End of group 'val'
+    )                                # End of group 'val'
-    \s*;?                          # Probably ending in a semi-colon
+    )?                             # End of optional value group
+    \s*                            # Any number of spaces.
+    (\s+|;|$)                      # Ending either at space, semicolon, or EOS.
    """, re.ASCII)                 # May be removed if safe.
@@ -551,8 +556,12 @@ class BaseCookie(dict):
                    M[key[1:]] = value
            elif key.lower() in Morsel._reserved:
                if M:
-                    M[key] = _unquote(value)
+                    if value is None:
-            else:
+                        if key.lower() in Morsel._flags:
+                            M[key] = True
+                    else:
+                        M[key] = _unquote(value)
+            elif value is not None:
                rval, cval = self.value_decode(value)
                self.__set(key, rval, cval)
                M = self[key]

--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -114,13 +114,51 @@ class CookieTests(unittest.TestCase):
        self.assertEqual(C.output(),
                         'Set-Cookie: Customer="WILE_E_COYOTE"; Max-Age=10')
-        # others
+    def test_set_secure_httponly_attrs(self):
        C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
        C['Customer']['secure'] = True
        C['Customer']['httponly'] = True
        self.assertEqual(C.output(),
            'Set-Cookie: Customer="WILE_E_COYOTE"; httponly; secure')
+    def test_secure_httponly_false_if_not_present(self):
+        C = cookies.SimpleCookie()
+        C.load('eggs=scrambled; Path=/bacon')
+        self.assertFalse(C['eggs']['httponly'])
+        self.assertFalse(C['eggs']['secure'])
+    def test_secure_httponly_true_if_present(self):
+        # Issue 16611
+        C = cookies.SimpleCookie()
+        C.load('eggs=scrambled; httponly; secure; Path=/bacon')
+        self.assertTrue(C['eggs']['httponly'])
+        self.assertTrue(C['eggs']['secure'])
+    def test_secure_httponly_true_if_have_value(self):
+        # This isn't really valid, but demonstrates what the current code
+        # is expected to do in this case.
+        C = cookies.SimpleCookie()
+        C.load('eggs=scrambled; httponly=foo; secure=bar; Path=/bacon')
+        self.assertTrue(C['eggs']['httponly'])
+        self.assertTrue(C['eggs']['secure'])
+        # Here is what it actually does; don't depend on this behavior.  These
+        # checks are testing backward compatibility for issue 16611.
+        self.assertEqual(C['eggs']['httponly'], 'foo')
+        self.assertEqual(C['eggs']['secure'], 'bar')
+    def test_bad_attrs(self):
+        # issue 16611: make sure we don't break backward compatibility.
+        C = cookies.SimpleCookie()
+        C.load('cookie=with; invalid; version; second=cookie;')
+        self.assertEqual(C.output(),
+            'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie')
+    def test_extra_spaces(self):
+        C = cookies.SimpleCookie()
+        C.load('eggs  =  scrambled  ;  secure  ;  path  =  bar   ; foo=foo   ')
+        self.assertEqual(C.output(),
+            'Set-Cookie: eggs=scrambled; Path=bar; secure\r\nSet-Cookie: foo=foo')
    def test_quoted_meta(self):
        # Try cookie with quoted meta-data
        C = cookies.SimpleCookie()

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -28,6 +28,9 @@ Tests
  self-signed.pythontest.net.  This avoids relying on svn.python.org, which
  recently changed root certificate.
+- Issue #22758: Fix a regression that no longer allowed secure and httponly
+  cookies to be parsed.
 What's New in Python 3.2.6?
 ===========================