You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Ken Brownfield (JIRA)" <ji...@apache.org> on 2008/01/23 23:22:34 UTC
[jira] Commented: (MODPYTHON-3) mod_python cannot parse cookies
with $-prefixed attributes
[ https://issues.apache.org/jira/browse/MODPYTHON-3?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561837#action_12561837 ]
Ken Brownfield commented on MODPYTHON-3:
----------------------------------------
We're unable to use mod_python v3.3.1 in production without the patch below. It's a pretty self-explanatory precedence issue:
--- Cookie.py 2007/12/15 21:45:42 1.1
+++ Cookie.py 2007/12/15 21:46:06
@@ -344,7 +344,7 @@
# We just ditch the cookies names which start with a dollar
sign since
# those are in fact RFC2965 cookies attributes. See bug
[#MODPYTHON-3].
- if key[0]!='$' and names is None or key in names:
+ if key[0]!='$' and ( names is None or key in names ):
result[key] = Class(key, val)
return result
Comments? This patch has been in heavy production use for a couple of months without incident.
Thanks,
Ken.
> mod_python cannot parse cookies with $-prefixed attributes
> ----------------------------------------------------------
>
> Key: MODPYTHON-3
> URL: https://issues.apache.org/jira/browse/MODPYTHON-3
> Project: mod_python
> Issue Type: Bug
> Affects Versions: 3.1.3
> Reporter: Nicolas Lehuen
> Assignee: Nicolas Lehuen
> Fix For: 3.2.7
>
> Attachments: mod_python-3.3.1-kb0.patch.txt
>
>
> Craig Warren (to mod_python, python-dev)
> I found an error while with Cookie module. When the cookie module parses a cookie, if that cooke has $Version or $Path in it you get an error. My cookie is coming from a java libaray, that puts $Version and $Path in it.
> example ="Cookie: $Version=0; pysid=34a9b38c34;$Path=/"
> RFC 2109 mentions $Version and $Path in Section 4.4
> http://www.faqs.org/rfcs/rfc2109.html
> 4.4 How an Origin Server Interprets the Cookie Header
> A user agent returns much of the information in the Set-Cookie header
> to the origin server when the Path attribute matches that of a new
> request. When it receives a Cookie header, the origin server should
> treat cookies with NAMEs whose prefix is $ specially, as an attribute
> for the adjacent cookie. The value for such a NAME is to be
> interpreted as applying to the lexically (left-to-right) most recent
> cookie whose name does not have the $ prefix. If there is no
> previous cookie, the value applies to the cookie mechanism as a
> whole. For example, consider the cookie
> Cookie: $Version="1"; Customer="WILE_E_COYOTE";
> $Path="/acme"
> $Version applies to the cookie mechanism as a whole (and gives the
> version number for the cookie mechanism). $Path is an attribute
> whose value (/acme) defines the Path attribute that was used when the
> Customer cookie was defined in a Set-Cookie response header.
> In Cookie.py it looks like the code was in place to deal with $Version and $Path, but not finished
> from _parse_cookie()
> line ~321
> l_key = key.lower()
>
> if (l_key in valid or key[0] == '$'):
>
> # "internal" attribute, add to cookie
> if l_key == "max-age":
> l_key = "max_age"
> setattr(c, l_key, val)
> The above code checks for the $, but doesn't do anything with it and in fact when it tries to do a setattr with $Version or $Path, you get an error.
> I modified the function to be
> l_key = key.lower()
>
> if (l_key in valid or key[0] == '$'):
>
> # "internal" attribute, add to cookie
> if l_key == "max-age":
> l_key = "max_age"
> if key[0] == '$':
> l_key = l_key[1:]
> setattr(c, l_key, val)
> Don't know if this is exactly the correct fix, but it works for me and I thought that I would email the list. I tried to subscribe to python-dev@httpd.apache.org, but haven't gotten a response back yet, I CC this message to python-dev@httpd.apache.org also.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.