Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#2806 closed defect (wontfix)

Cookie system does not support "port"

Reported by: aagaande@… Owned by: Malcolm Tredinnick
Component: Contrib apps Version: dev
Severity: normal Keywords: cookies
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Adrian Holovaty)

When loading my web page with a .NET application's cookie system (in WebRequest) it'll send this cookie:
sessionid=a2be2e7debe71af8d88d350c4d14d768;$Path=/;$Domain=192.168.0.2;$Port="8000"

Python will here fail on a cookie error:

  File "/home/neuron/Documents/Programming/django/django_src/django/core/handlers/wsgi.py", line 128, in _get_cookies
    self._cookies = http.parse_cookie(self.environ.get('HTTP_COOKIE', ''))
  File "/home/neuron/Documents/Programming/django/django_src/django/http/__init__.py", line 151, in parse_cookie
    c.load(cookie)
  File "/usr/lib64/python2.4/Cookie.py", line 621, in load
    self.__ParseString(rawdata)
  File "/usr/lib64/python2.4/Cookie.py", line 646, in __ParseString
    M[ K[1:] ] = V
  File "/usr/lib64/python2.4/Cookie.py", line 437, in __setitem__
    raise CookieError("Invalid Attribute %s" % K)
CookieError: Invalid Attribute port

Change History (9)

comment:1 by Malcolm Tredinnick, 17 years ago

Urgh! Fixing this will require rewrite django.http.parse_cookie() to use the standard library's cookielib module directly, rather than Cookie. The problem is that Cookie is only RFC2109-compliant, whereas you cookie example above requires RFC2965 understanding ($Port was only introduced as a permitted name in the latter).

It would be good if you could file a bug at Python's bugtracker, too, giving your example cookie and the place it causes a problem inside the Cookie mdule (they won't care about all the Django stuff). The Cookie module needs updating (I just checked: it still only supports RFC2109 in Python 2.5)

If you wanted to have a stab at fixing this yourself, the first paragraph is the approach I would take: look at the cookie handling in django/http/__init__.py and port it to use cookielib, rather than Cookie.

comment:2 by aagaande@…, 17 years ago

http://sourceforge.net/tracker/index.php?func=detail&aid=1564508&group_id=5470&atid=105470

Reported here, I'll see how much work it is to make a patch.

comment:3 by aagaande@…, 17 years ago

Looked into this some more, it's not gonna be easy to implement in a clean way.

The cookielib module is tightly tied with urllib2, and extra_cookies requires two arguments.
response object - (result of urllib2.urlopen()), needs info() method, which returns an object with getallmatchingheaders() (usually mimetools.Message)
request object - (urllib2.Request), must support get_full_url(), get_host(), unverifiable() and get_origin_req_host().

From what I can tell, it'd involve changing changing modpython.py and wsgi.py's arguments to parse_cookies to passing self._get_request. But I'm not quite sure where to get the response object.

on the response object it calls:

headers = response.info()
rfc2965_hdrs = headers.getheaders("Set-Cookie2")
ns_hdrs = headers.getheaders("Set-Cookie")

http://trac.turbogears.org/turbogears/wiki/ConvertCookies uses a fake request to convert from one to the other, but I think it'd be better to fix the system than to improve it in a hackish way. But that demonstrates use of "_cookie_from_cookie_tuple" (undocumented but used internaly by cookielib), it looks considerably easier to use that than to use a proper response object, but I dont know django's position on using undocumented api?.

comment:4 by Malcolm Tredinnick, 17 years ago

Owner: changed from Adrian Holovaty to Malcolm Tredinnick

Oh, Lord. Nice investigation, but the result is pretty sucky. I hadn't realised the two implementations were that disparate.

Python 2.3 and 2.4 will never be "fixed" in the sense of changing the Cookie module, so we still need a workaround. Need to think about the TurboGears-like approach. It's not completely insane (and it might help our testing framework as a side-effect).

comment:5 by aagaande@…, 17 years ago

Switching to cookielib shouldn't be that complicated if you use the _cookie_from_cookie_tuple function, as you already have a request object both places parse_cookies is called, it should be relativly clean fix. If you don't use the internal api you'll need a response object as well though, and that's where things get a bit complicated, as you'll need to deal with a fake one most likely.

comment:6 by Adrian Holovaty, 17 years ago

Description: modified (diff)

Fixed formatting in description.

comment:7 by Simon G. <dev@…>, 17 years ago

Triage Stage: UnreviewedAccepted

comment:8 by Simon G. <dev@…>, 17 years ago

Resolution: wontfix
Status: newclosed

Marking as wontfix given the following comment on Python's bugtracker

Why do you want RFC 2965 compatibility?

I'm not trolling; RFC 2965 is dead as an internet protocol (except as a
basis for implementing the older cookie protocols, as RFC 2965 +
compatibility hacks -- but $Port is not relevant in that case).  The
authors of the RFC gave up on an effort to publish errata to the RFC, due
to the complexities and the lack of interest from the internet at large.

AFAIK, $Port is not implemented by browsers (except for maybe Opera and
lynx, IIRC).  It just never caught on.

See also http://python.org/sf/1638033

comment:9 by anonymous, 16 years ago

seduction Here's my post on how to get laid in the next month or two. This post does not maximize your chances of "getting really good at pickup" - in fact, it does the opposite.

Note: See TracTickets for help on using tickets.
Back to Top