json cookies break cookie parsing

Bug #563229 reported by simonjj on 2010-04-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Undecided
Tres Seaver

Bug Description

If a cookie has any double quotes (") as many JSON cookies do. The cookie parsing for the JSON cookie and all subsequent cookies fail. Please see the attached screenshot for details.

Platform: OSX 10.5
Python: 2.4.4
Zope: 2.11.2
Browser: Firefox 3.6.3

simonjj (simonjj) wrote :

please find a patch that fixed the issue for me attached here

simonjj (simonjj) wrote :

patch for added test case to testHTTPRequest

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mag wrote:
> Public bug reported:
>
> If a cookie has any double quotes (") as many JSON cookies do. The
> cookie parsing for the JSON cookie and all subsequent cookies fail.
> Please see the attached screenshot for details.
>
> Platform: OSX 10.5
> Python: 2.4.4
> Zope: 2.11.2
> Browser: Firefox 3.6.3
>
> ** Affects: zope2
> Importance: Undecided
> Status: New

 status confirmed
 assignee tseaver

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvIYRoACgkQ+gerLs4ltQ6tIgCgq5ceYjrxqzIzP2Cx6LbuGdkB
4pMAn3HcDnYQ6r63uc63/++YkwkMk0UT
=F4rt
-----END PGP SIGNATURE-----

Changed in zope2:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Tres Seaver (tseaver) wrote :

RFC 2965[1] governs HTTP cookies, and mandates that the 'value' side of a cookie av-pair be one of either 'token' (sequence of non-whitespace, non-separators), or 'quoted-string' (double quotes around a sequence of anything *except* non-escaped double quotes), both as specified in RFC 2616[2].

So, whatever code you have which is generating such a cookie without escaping the quotes with backslashes is in violation of the spec. The 'HTTPResponse.setCookie' method should probably be doing the escaping, as well as wrapping any non-token values in double quotes, and 'parse_cookie' should handle the unescaping and stripping of quotes.

 [1] http://tools.ietf.org/html/rfc2965
 [2] http://tools.ietf.org/html/rfc2616

I will apply the patch anyway, as it doesn't break other tests, or introduce any new complexity to 'parse_cookie'.

Tres Seaver (tseaver) wrote :
Changed in zope2:
status: Confirmed → Fix Committed
Changed in zope2:
milestone: none → 2.12.5
Changed in zope2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers