Issue #3924: Ignore cookies with invalid "version" field in cookielib.

5d0ca2c8 · Georg Brandl · f93ce0c1 · 5d0ca2c8 · 5d0ca2c8 · 5d0ca2c8
Commit 5d0ca2c8 authored May 22, 2010 by Georg Brandl
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 6 deletions

Lib/cookielib.py Lib/cookielib.py +15 -5

Lib/test/test_cookielib.py Lib/test/test_cookielib.py +15 -1

Misc/NEWS Misc/NEWS +2 -0

No files found.
--- a/Lib/cookielib.py
+++ b/Lib/cookielib.py
@@ -434,6 +434,13 @@ def join_header_words(lists):
        if attr: headers.append("; ".join(attr))
    return ", ".join(headers)

+def strip_quotes(text):
+    if text.startswith('"'):
+        text = text[1:]
+    if text.endswith('"'):
+        text = text[:-1]
+    return text
+
 def parse_ns_headers(ns_headers):
    """Ad-hoc parser for Netscape protocol cookie-attributes.

@@ -451,7 +458,7 @@ def parse_ns_headers(ns_headers):
    """
    known_attrs = ("expires", "domain", "path", "secure",
                   # RFC 2109 attrs (may turn up in Netscape cookies, too)
-                   "port", "max-age")
+                   "version", "port", "max-age")

    result = []
    for ns_header in ns_headers:
@@ -471,12 +478,11 @@ def parse_ns_headers(ns_headers):
                    k = lc
                if k == "version":
                    # This is an RFC 2109 cookie.
+                    v = strip_quotes(v)
                    version_set = True
                if k == "expires":
                    # convert expires date to seconds since epoch
-                    if v.startswith('"'): v = v[1:]
-                    if v.endswith('"'): v = v[:-1]
-                    v = http2time(v)  # None if invalid
+                    v = http2time(strip_quotes(v))  # None if invalid
            pairs.append((k, v))

        if pairs:
@@ -1450,7 +1456,11 @@ class CookieJar:

        # set the easy defaults
        version = standard.get("version", None)
-        if version is not None: version = int(version)
+        if version is not None:
+            try:
+                version = int(version)
+            except ValueError:
+                return None  # invalid version, ignore cookie
        secure = standard.get("secure", False)
        # (discard is also set if expires is Absent)
        discard = standard.get("discard", False)

--- a/Lib/test/test_cookielib.py
+++ b/Lib/test/test_cookielib.py
@@ -99,7 +99,8 @@ class DateTimeTests(TestCase):


 class HeaderTests(TestCase):
-    def test_parse_ns_headers(self):
+
+    def test_parse_ns_headers_expires(self):
        from cookielib import parse_ns_headers

        # quotes should be stripped
@@ -110,6 +111,17 @@ class HeaderTests(TestCase):
            ]:
            self.assertEquals(parse_ns_headers([hdr]), expected)

+    def test_parse_ns_headers_version(self):
+        from cookielib import parse_ns_headers
+
+        # quotes should be stripped
+        expected = [[('foo', 'bar'), ('version', '1')]]
+        for hdr in [
+            'foo=bar; version="1"',
+            'foo=bar; Version="1"',
+            ]:
+            self.assertEquals(parse_ns_headers([hdr]), expected)
+
    def test_parse_ns_headers_special_names(self):
        # names such as 'expires' are not special in first name=value pair
        # of Set-Cookie: header
@@ -1091,6 +1103,8 @@ class CookieTests(TestCase):
            ["Set-Cookie2: a=foo; path=/; Version=1; domain"],
            # bad max-age
            ["Set-Cookie: b=foo; max-age=oops"],
+            # bad version
+            ["Set-Cookie: b=foo; version=spam"],
            ]:
            c = cookiejar_from_cookie_headers(headers)
            # these bad cookies shouldn't be set

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,8 @@ C-API
 Library
 -------

+- Issue #3924: Ignore cookies with invalid "version" field in cookielib.
+
 - Issue #6268: Fix seek() method of codecs.open(), don't read the BOM twice
  after seek(0)