Comment 5 for bug 563229

Tres Seaver (tseaver) wrote :

RFC 2965[1] governs HTTP cookies, and mandates that the 'value' side of a cookie av-pair be one of either 'token' (sequence of non-whitespace, non-separators), or 'quoted-string' (double quotes around a sequence of anything *except* non-escaped double quotes), both as specified in RFC 2616[2].

So, whatever code you have which is generating such a cookie without escaping the quotes with backslashes is in violation of the spec. The 'HTTPResponse.setCookie' method should probably be doing the escaping, as well as wrapping any non-token values in double quotes, and 'parse_cookie' should handle the unescaping and stripping of quotes.


I will apply the patch anyway, as it doesn't break other tests, or introduce any new complexity to 'parse_cookie'.