[mod_python] Cookie patch

Craig Warren craig.warren at encorp.com
Thu Jan 13 11:23:03 EST 2005 

I found an error while with Cookie module.  When the cookie module 
parses a cookie, if that cooke has $Version or $Path in it you get an 
error. My cookie is coming from a java libaray, that puts $Version and 
$Path in it.
example ="Cookie: $Version=0; pysid=34a9b38c34;$Path=/"
  

RFC 2109 mentions $Version and $Path in Section 4.4

http://www.faqs.org/rfcs/rfc2109.html

4.4  How an Origin Server Interprets the Cookie Header

   A user agent returns much of the information in the Set-Cookie header
   to the origin server when the Path attribute matches that of a new
   request.  When it receives a Cookie header, the origin server should
   treat cookies with NAMEs whose prefix is $ specially, as an attribute
   for the adjacent cookie.  The value for such a NAME is to be
   interpreted as applying to the lexically (left-to-right) most recent
   cookie whose name does not have the $ prefix.  If there is no
   previous cookie, the value applies to the cookie mechanism as a
   whole.  For example, consider the cookie

   Cookie: $Version="1"; Customer="WILE_E_COYOTE";
           $Path="/acme"

   $Version applies to the cookie mechanism as a whole (and gives the
   version number for the cookie mechanism).  $Path is an attribute
   whose value (/acme) defines the Path attribute that was used when the
   Customer cookie was defined in a Set-Cookie response header.


In Cookie.py it looks like the code was in place to deal with $Version 
and $Path, but not finished

from  _parse_cookie()
line ~321
 /*l_key = key.lower()
       
        if (l_key in valid or key[0] == '$'):
           
            # "internal" attribute, add to cookie

            if l_key == "max-age":
                l_key = "max_age"
            setattr(c, l_key, val)
*/
 The above code checks for the $, but doesn't do anything with it and in 
fact when it tries to do a setattr with $Version or $Path, you get an error.

I modified the function to be

/*l_key = key.lower()
       
        if (l_key in valid or key[0] == '$'):
           
            # "internal" attribute, add to cookie

            if l_key == "max-age":
                l_key = "max_age"
           ** if key[0] == '$':
                l_key = l_key[1:]
            setattr(c, l_key, val)*
/

Don't know if this is exactly the correct fix, but it works for me and I 
thought that I would email the list.  I tried to subscribe to 
python-dev at httpd.apache.org, but haven't gotten a response back yet, I 
CC this message to python-dev at httpd.apache.org also.

Craig Warren

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20050113/8c5309fd/attachment.html

More information about the Mod_python mailing list