Uploaded image for project: 'mod_python'
  1. mod_python
  2. MODPYTHON-3

mod_python cannot parse cookies with $-prefixed attributes

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.3
    • 3.2.7
    • None
    • None

    Description

      Craig Warren (to mod_python, python-dev)

      I found an error while with Cookie module. When the cookie module parses a cookie, if that cooke has $Version or $Path in it you get an error. My cookie is coming from a java libaray, that puts $Version and $Path in it.
      example ="Cookie: $Version=0; pysid=34a9b38c34;$Path=/"

      RFC 2109 mentions $Version and $Path in Section 4.4

      http://www.faqs.org/rfcs/rfc2109.html

      4.4 How an Origin Server Interprets the Cookie Header

      A user agent returns much of the information in the Set-Cookie header
      to the origin server when the Path attribute matches that of a new
      request. When it receives a Cookie header, the origin server should
      treat cookies with NAMEs whose prefix is $ specially, as an attribute
      for the adjacent cookie. The value for such a NAME is to be
      interpreted as applying to the lexically (left-to-right) most recent
      cookie whose name does not have the $ prefix. If there is no
      previous cookie, the value applies to the cookie mechanism as a
      whole. For example, consider the cookie

      Cookie: $Version="1"; Customer="WILE_E_COYOTE";
      $Path="/acme"

      $Version applies to the cookie mechanism as a whole (and gives the
      version number for the cookie mechanism). $Path is an attribute
      whose value (/acme) defines the Path attribute that was used when the
      Customer cookie was defined in a Set-Cookie response header.

      In Cookie.py it looks like the code was in place to deal with $Version and $Path, but not finished

      from _parse_cookie()
      line ~321
      l_key = key.lower()

      if (l_key in valid or key[0] == '$'):

      1. "internal" attribute, add to cookie

      if l_key == "max-age":
      l_key = "max_age"
      setattr(c, l_key, val)

      The above code checks for the $, but doesn't do anything with it and in fact when it tries to do a setattr with $Version or $Path, you get an error.

      I modified the function to be

      l_key = key.lower()

      if (l_key in valid or key[0] == '$'):

      1. "internal" attribute, add to cookie

      if l_key == "max-age":
      l_key = "max_age"
      if key[0] == '$':
      l_key = l_key[1:]
      setattr(c, l_key, val)

      Don't know if this is exactly the correct fix, but it works for me and I thought that I would email the list. I tried to subscribe to python-dev@httpd.apache.org, but haven't gotten a response back yet, I CC this message to python-dev@httpd.apache.org also.

      Attachments

        1. mod_python-3.3.1-kb0.patch.txt
          0.4 kB
          Ken Brownfield

        Activity

          People

            nlehuen Nicolas Lehuen
            nlehuen Nicolas Lehuen
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: