You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
question about the decisions made in the repository
Do you want to request a feature or report a bug?
feature
What is the current behavior?
Whenever one of the cookies is invalid, CherryPy returns error 400
It is common for browsers and other web servers to support cookies that are not RCF compliant and users are expecting such cookies to work. If another website in the same domain is setting invalid cookie it will break the website served by CherryPy
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
Set a cookie for the same domain using for example Chrome developer tools, for example:
__utmzz=utmcsr=(direct)|utmcmd=(none)|utmccn=(not set)|utmcct=(not set)|utmctr=(not set)|utmgclid=(not set)
What is the expected behavior?
CherryPy ignores invalid cookie
What is the motivation / use case for changing the behavior?
Website served by CherryPy should not be affected by another website in the same domain
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)
Python standard library implementation of cookie parser (https://github.com/python/cpython/blob/3.7/Lib/http/cookies.py) assumes that cookies can be separated only by space but the standard requires semicolon and space between cookies
So it is treating the value after space and before “=” as new key and it is validating it against valid character for the token which can’t contain “(“ character:
I'm submitting a ...
Do you want to request a feature or report a bug?
feature
What is the current behavior?
Whenever one of the cookies is invalid, CherryPy returns error 400
It is common for browsers and other web servers to support cookies that are not RCF compliant and users are expecting such cookies to work. If another website in the same domain is setting invalid cookie it will break the website served by CherryPy
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
Set a cookie for the same domain using for example Chrome developer tools, for example:
__utmzz=utmcsr=(direct)|utmcmd=(none)|utmccn=(not set)|utmcct=(not set)|utmctr=(not set)|utmgclid=(not set)
What is the expected behavior?
CherryPy ignores invalid cookie
What is the motivation / use case for changing the behavior?
Website served by CherryPy should not be affected by another website in the same domain
Please tell us about your environment:
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)
Python standard library implementation of cookie parser (https://github.com/python/cpython/blob/3.7/Lib/http/cookies.py) assumes that cookies can be separated only by space but the standard requires semicolon and space between cookies
So it is treating the value after space and before “=” as new key and it is validating it against valid character for the token which can’t contain “(“ character:
Similar issue is logged in cpython: (python/cpython#75637)
and for example in Django they rewritten cookie parser to match browser behaviour:
(django/django@93a135d)
there are also some workarounds available like this:
(https://stackoverflow.com/questions/7148458/cookieerror-illegal-key-value#answer-25819605)
My proposed solution would be to update the _cprequest.py to ignore invalid cookies or to make raising error optional
The text was updated successfully, but these errors were encountered: