[issue17340] Handle malformed cookie
New submission from keakon: One of my user told me that she couldn't login to my website yesterday. I logged her cookie, and found it began with ',BRIDGE_R=;' which was a malformed cookie. Tornado uses Cookie.SimpleCookie.load() to parse her cookie, and returns an empty dict when catching an exception such as CookieError. In that case, Tornado has to treat her as a new user since it believes she didn't provide any cookies. Even after Tornado tried to set cookie (like user_id) for her, it still couldn't parse her cookie the next time. I checked Issue2193 and found the patch provided by spookylukey could fix the bug, but it was rejected. Why not add a default parameter like strict=True, and let users to decide whether to ignore invalid keys or to raise an error? I believe SimpleCookie is useless for handling malformed cookies right now. If it's still not acceptable, should I implement my own Cookie class for Tornado like Django did (https://github.com/django/django/blob/master/django/http/cookie.py)? -- components: Library (Lib) messages: 183367 nosy: georg.brandl, keakon, spookylukey priority: normal severity: normal status: open title: Handle malformed cookie type: behavior versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue17340> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: Terry, say that a user's cookie is ",BRIDGE_R=; a=b;" right now. When he login, the server sends "Set-Cookie: user_id=1; Path=/" header to him. Then his cookie is ",BRIDGE_R=; a=b; user_id=1;" now. The next time he sends cookie to the server, Cookie.SimpleCookie.load() tries to parse the cookie, but raises a CookieError. So the server has no way to get his user_id from cookie. It has to let him login again and sends "Set-Cookie: user_id=1; Path=/" header infinitely. I cannot clear all cookies because Cookie.SimpleCookie.load() even dosen't let me know the keys in his cookie. -- type: enhancement -> behavior versions: +Python 2.7 -Python 3.4 ___ Python tracker <http://bugs.python.org/issue17340> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: Terry, I think that's the standard process of web applications. 1. The user agent send cookie via HTTP headers to the web server. 2. The web server parse its cookie. If the server fails to find something proves the user has logged in from his cookie, redirect him to the login page. 3. The user agent post login information to the web server. 4. The web server verify the post data. If it's correct, the server send Set-Cookie headers which can be used as a proof in the step 2 to the user agent. After the 4 steps, the user agent should be considered as a logged-in user. However, in the step 2, the server cannot parse his cookie duo to CookieError. It has to redirect the user to the login page and continue the next steps. I don't think there is anything wrong with the process except the strange behavior of Cookie.SimpleCookie.load(). -- ___ Python tracker <http://bugs.python.org/issue17340> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: karl, I don't know the exact reason. "BRIDGE_R" is a cookie name set by Baidu Bridge. I don't know why there is a comma before it. The Baidu Bridge is an external JavaScript resource. It can do anything like: document.cookie = ",BRIDGE_R=;"; I think Baidu Bridge set the wrong cookie by mistake. But we still rely on Baidu Bridge, and we have no way to clear the wrong cookie. -- ___ Python tracker <http://bugs.python.org/issue17340> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue25635] urllib2 cannot fully read FTP file
New submission from keakon: I found the bug from this slide: http://sector.ca/Portals/17/Presentations15/SecTor_Branca.pdf The second way cannot fully read the file. import urllib2 url = 'ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest' response = urllib2.urlopen(url) data = response.read() print len(data) # 6653498 data = urllib2.urlopen(url).read() print len(data) # 65536 It might be something wrong with the FTP server. It's OK when I read from my own FTP server. -- components: Library (Lib) messages: 254733 nosy: keakon priority: normal severity: normal status: open title: urllib2 cannot fully read FTP file type: behavior versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue25635> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
