Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-06-26 10:51:14 +00:00
Code Issues Projects Releases Packages Wiki Activity
131417 commits 7 branches 660 tags 3.7 GiB
Commit graph

54 commits

Author SHA1 Message Date
Miss Islington (bot)
ed27363ddf
[3.15] gh-149144: Use decodeURIComponent() for UTF-8 support in js_output() (GH-149157) (GH-149846) 
gh-149144: Use decodeURIComponent() for UTF-8 support in js_output() (GH-149157)
(cherry picked from commit 461b1d9631)

Co-authored-by: Seth Larson <seth@python.org>
 2026-05-15 00:38:11 +02:00
kishorhange111
246fe14e7c
gh-148849: Deprecate http.cookies.BaseCookie.js_output() (GH-148978) 2026-05-04 12:51:17 +03:00
Serhiy Storchaka
c80e446e6b
gh-149028: Revert gh-92936 changes (GH-149182) 
* Revert "gh-92936: update `http.cookies` docs post GH-113663 (#137566)"

This reverts commit d86c2257a6.

* Revert "gh-92936: allow double quote in cookie values (#113663)"

This reverts commit d7dbde8958.
 2026-04-30 22:19:46 +03:00
Seth Larson
76b3923d68
gh-90309: Base64-encode cookie values embedded in JS 2026-04-22 19:22:31 +00:00
Stan Ulbrych
57e88c1cf9
gh-145599, CVE 2026-3644: Reject control characters in http.cookies.Morsel.update() (#145600) 
Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
 2026-03-16 14:43:43 +01:00
Seth Michael Larson
95746b3a13
gh-143919: Reject control characters in http cookies 
Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
Co-authored-by: sobolevn <mail@sobolevn.me>
 2026-01-20 21:23:42 +00:00
Nick Burns
d7dbde8958
gh-92936: allow double quote in cookie values (#113663) 
* allow double quote in cookie values
* Update Lib/test/test_http_cookies.py

Co-authored-by: Senthil Kumaran <senthil@python.org>
 2025-08-08 12:07:15 -07:00
Giles Copp
9abbb58e3f
gh-112713 : Add support for 'partitioned' attribute in http.cookies (GH-112714) 
* Add support for 'partitioned' attribute in http.cookies

Co-authored-by: Giles Copp <gilesc@dropbox.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
 2025-01-24 22:31:52 +00:00
Nano
359389ed51
gh-123401: Fix http.cookies module to support obsolete RFC 850 date format (#123405) 
Co-authored-by: Wulian <1055917385@qq.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
 2024-12-11 13:28:19 +00:00
J. Nick Koston
dd3c0fa3fd
gh-126156: Improve performance of creating Morsel objects (#126157) 
Replaces the manually constructed loop with a call to `dict.update`
 2024-10-31 12:05:40 -07:00
Serhiy Storchaka
44e458357f
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) 
This fixes CVE-2024-7592.
 2024-08-17 16:30:52 +03:00
Serhiy Storchaka
1a0c7b9ba4
gh-121905: Consistently use "floating-point" instead of "floating point" (GH-121907) 2024-07-19 08:06:02 +00:00
Batuhan Taşkaya
0361556537
bpo-39481: PEP 585 for a variety of modules (GH-19423) 
- concurrent.futures
- ctypes
- http.cookies
- multiprocessing
- queue
- tempfile
- unittest.case
- urllib.parse
 2020-04-10 07:46:36 -07:00
Berker Peksag
d5a2377c3d
bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555) 2018-04-23 02:48:11 +03:00
Alex Gaynor
afbbac12a5
Removed a confusing line from a docstring in http.cookies (GH-6482) 
There's no reason a cookie should _ever_ contain pickled data. That's just asking for a critical security vulnerability. Back in Python2 there were helpers for doing that, but they're no more in Python3. Now coded_value is used when the value needs to be encoded for any reason.
 2018-04-15 17:23:47 -04:00
Alex Gaynor
c87eb09d2e
bpo-29613: Added support for SameSite cookies (GH-6413) 
* bpo-29613: Added support for SameSite cookies

Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07

* Documented SameSite

And suggestions by members.

* Missing space :(

* Updated News and contributors

* Added version changed details.

* Fix in documentation

* fix in documentation

* Clubbed test cases for same attribute into single.

* Updates

* Style nits + expand tests

* review feedback
 2018-04-07 16:09:42 -04:00
Serhiy Storchaka
cc283378d6 Issue #29192: Removed deprecated features in the http.cookies module. 2017-01-13 09:23:15 +02:00
Serhiy Storchaka
bd48d27944 Issue #22493: Inline flags now should be used only at the start of the 
regular expression.  Deprecation warning is emitted if uses them in the
middle of the regular expression.
 2016-09-11 12:50:02 +03:00
R David Murray
44b548dda8 #27364: fix "incorrect" uses of escape character in the stdlib. 
And most of the tools.

Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
 2016-09-08 13:59:53 -04:00
Martin Panter
46f50726a0 Issue #27076: Doc, comment and tests spelling fixes 
Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
 2016-05-26 05:35:26 +00:00
Anish Shah
102d813b55 Issue #26302: Correctly identify comma as an invalid character for a cookie (correcting regression in Python 3.5). 2016-02-07 05:36:00 +05:00
Benjamin Peterson
5a69420062 merge 3.4 (#22931) 2015-05-23 10:41:30 -05:00
Benjamin Peterson
c4ae86e477 merge 3.3 (#22931) 2015-05-23 10:40:47 -05:00
Benjamin Peterson
d504f20e1c merge 3.2 (#22931) 2015-05-23 10:38:48 -05:00
Benjamin Peterson
9bd476ea57 allow square brackets in cookie values (closes #22931) 2015-05-23 10:36:48 -05:00
R David Murray
1813c1701f #2211: properly document the Morsel behavior changes. 
Also deprecate the undocumented set argument instead of removing
it already in 3.5.

Initial patch by Demian Brecht.
 2015-03-29 17:09:21 -04:00
Serhiy Storchaka
6c32585f67 Restored backward compatibility of pickling http.cookies.Morsel. It was 
broken after converting instance attributes to properies in issue #2211.
 2015-03-18 18:03:40 +02:00
Serhiy Storchaka
9c1a9b2657 Issue #2211: Updated the implementation of the http.cookies.Morsel class. 
Setting attributes key, value and coded_value directly now is deprecated.
update() and setdefault() now transform and check keys.  Comparing for
equality now takes into account attributes key, value and coded_value.
copy() now returns a Morsel, not a dict.  repr() now contains all attributes.
Optimized checking keys and quoting values.  Added new tests.
Original patch by Demian Brecht.
 2015-03-18 10:59:57 +02:00
Benjamin Peterson
5b883296f6 merge 3.4 (#22986) 2015-01-16 20:46:37 -05:00
Benjamin Peterson
bd341629b0 capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes #23250) 
Patch by Jon Dufresne.
 2015-01-16 20:43:55 -05:00
Antoine Pitrou
b1e36073cd Issue #22796: HTTP cookie parsing is now stricter, in order to protect against potential injection attacks. 2014-11-21 01:20:57 +01:00
Serhiy Storchaka
8cf7c1cff0 Issue #22775: Fixed unpickling of http.cookies.SimpleCookie with protocol 2 
and above.  Patch by Tim Graham.
 2014-11-02 22:18:25 +02:00
Antoine Pitrou
7d0b8f95e7 Lax cookie parsing in http.cookies could be a security issue when combined 
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
 2014-09-17 00:23:55 +02:00
Antoine Pitrou
dad182c16e Lax cookie parsing in http.cookies could be a security issue when combined 
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
 2014-09-17 00:23:55 +02:00
Serhiy Storchaka
b992a0e102 Issue #19936: Added executable bits or shebang lines to Python scripts which 
requires them.  Disable executable bits and shebang lines in test and
benchmark files in order to prevent using a random system python, and in
source files of modules which don't provide command line interface.  Fixed
shebang line to use python3 executable in the unittestgui script.
 2014-01-16 17:15:49 +02:00
R David Murray
cd0f74b1e0 #16611: BaseCookie now parses 'secure' and 'httponly' flags. 
Previously it generated them if they were given a value, but completely
ignored them if they were present in the string passed in to be parsed.  Now
if the flag appears on a cookie, the corresponding Morsel key will reference a
True value.  Other pre-existing behavior is retained in this maintenance
patch: if the source contains something like 'secure=foo', morsel['secure']
will return 'foo'.  Since such a value doesn't round trip and never did (and
would be a surprising occurrence) a subsequent non-bug-fix patch may change
this behavior.

Inspired by a patch from Julien Phalip, who reviewed this one.
 2013-08-25 11:09:02 -04:00
Senthil Kumaran
185f401308 merge - Fix for issue14426 - buildbots here I come 2012-05-20 16:58:59 +08:00
Senthil Kumaran
aeeba2629a Fix for issue14426 - buildbots here I come 2012-05-20 16:58:30 +08:00
Senthil Kumaran
0b943a18ef Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:06:51 +08:00
Senthil Kumaran
00c2ec282e Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:05:16 +08:00
Senthil Kumaran
3a441c1bed Fix Issue2193 - Allow ":" character in Cookie NAME values 2012-04-22 09:19:04 +08:00
R. David Murray
e05ca2aff4 #9824: encode , and ; in cookie values so that browsers don't split on them 
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies.  Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.
 2010-12-28 18:54:13 +00:00
Georg Brandl
cbd2ab1311 #1513299: cleanup some map() uses where a comprehension works better. 2010-12-04 10:39:14 +00:00
Georg Brandl
b16e38b825 #8826: the "expires" attribute value is a date string with spaces, but apparently not all user-agents put it in quotes. Handle that as a special case. 2010-08-01 09:06:34 +00:00
Georg Brandl
76e155a157 #3788: more tests for http.cookies, now at 95% coverage. Also bring coding style in the module up to PEP 8, where it does not break backwards compatibility. 2010-07-31 21:04:00 +00:00
Benjamin Peterson
90f5ba538b convert shebang lines: python -> python3 2010-03-11 22:53:45 +00:00
Benjamin Peterson
8719ad5dde Merged revisions 74277,74321,74323,74326,74355,74465,74467,74488,74492,74513,74531,74549,74553,74625,74632,74643-74644,74647,74652,74666,74671,74727,74739 via svnmerge from 
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r74277 | sean.reifschneider | 2009-08-01 18:54:55 -0500 (Sat, 01 Aug 2009) | 3 lines

  - Issue #6624: yArg_ParseTuple with "s" format when parsing argument with
    NUL: Bogus TypeError detail string.
........
  r74321 | guilherme.polo | 2009-08-05 11:51:41 -0500 (Wed, 05 Aug 2009) | 1 line

  Easier reference to find (at least while svn continues being used).
........
  r74323 | guilherme.polo | 2009-08-05 18:48:26 -0500 (Wed, 05 Aug 2009) | 1 line

  Typo.
........
  r74326 | jesse.noller | 2009-08-05 21:05:56 -0500 (Wed, 05 Aug 2009) | 1 line

  Fix issue 4660: spurious task_done errors in multiprocessing, remove doc note for from_address
........
  r74355 | gregory.p.smith | 2009-08-12 12:02:37 -0500 (Wed, 12 Aug 2009) | 2 lines

  comment typo fix
........
  r74465 | vinay.sajip | 2009-08-15 18:23:12 -0500 (Sat, 15 Aug 2009) | 1 line

  Added section on logging to one file from multiple processes.
........
  r74467 | vinay.sajip | 2009-08-15 18:34:47 -0500 (Sat, 15 Aug 2009) | 1 line

  Refined section on logging to one file from multiple processes.
........
  r74488 | vinay.sajip | 2009-08-17 08:14:37 -0500 (Mon, 17 Aug 2009) | 1 line

  Further refined section on logging to one file from multiple processes.
........
  r74492 | r.david.murray | 2009-08-17 14:26:49 -0500 (Mon, 17 Aug 2009) | 2 lines

  Issue 6685: 'toupper' -> 'upper' in cgi doc example explanation.
........
  r74513 | skip.montanaro | 2009-08-18 09:37:52 -0500 (Tue, 18 Aug 2009) | 1 line

  missing module ref (issue6723)
........
  r74531 | vinay.sajip | 2009-08-20 17:04:32 -0500 (Thu, 20 Aug 2009) | 1 line

  Added section on exceptions raised during logging.
........
  r74549 | benjamin.peterson | 2009-08-24 12:42:36 -0500 (Mon, 24 Aug 2009) | 1 line

  fix pdf building by teaching latex the right encoding package
........
  r74553 | r.david.murray | 2009-08-26 20:04:59 -0500 (Wed, 26 Aug 2009) | 2 lines

  Remove leftover text from end of sentence.
........
  r74625 | benjamin.peterson | 2009-09-01 17:27:57 -0500 (Tue, 01 Sep 2009) | 1 line

  remove the check that classmethod's argument is a callable
........
  r74632 | georg.brandl | 2009-09-03 02:27:26 -0500 (Thu, 03 Sep 2009) | 1 line

  #6828: fix wrongly highlighted blocks.
........
  r74643 | georg.brandl | 2009-09-04 01:59:20 -0500 (Fri, 04 Sep 2009) | 2 lines

  Issue #2666: Handle BROWSER environment variable properly for unknown browser names in the webbrowser module.
........
  r74644 | georg.brandl | 2009-09-04 02:55:14 -0500 (Fri, 04 Sep 2009) | 1 line

  #5047: remove Monterey support from configure.
........
  r74647 | georg.brandl | 2009-09-04 03:17:04 -0500 (Fri, 04 Sep 2009) | 2 lines

  Issue #5275: In Cookie's Cookie.load(), properly handle non-string arguments as documented.
........
  r74652 | georg.brandl | 2009-09-04 06:25:37 -0500 (Fri, 04 Sep 2009) | 1 line

  #6756: add some info about the "acct" parameter.
........
  r74666 | georg.brandl | 2009-09-05 04:04:09 -0500 (Sat, 05 Sep 2009) | 1 line

  #6841: remove duplicated word.
........
  r74671 | georg.brandl | 2009-09-05 11:47:17 -0500 (Sat, 05 Sep 2009) | 1 line

  #6843: add link from filterwarnings to where the meaning of the arguments is covered.
........
  r74727 | benjamin.peterson | 2009-09-08 18:04:22 -0500 (Tue, 08 Sep 2009) | 1 line

  #6865 fix ref counting in initialization of pwd module
........
  r74739 | georg.brandl | 2009-09-11 02:55:20 -0500 (Fri, 11 Sep 2009) | 1 line

  Move function back to its section.
........
 2009-09-11 22:24:02 +00:00
Georg Brandl
9cf32a12a1 Turn some comments into docstrings. 2009-09-04 08:28:01 +00:00
Georg Brandl
4eff9f7ff7 Remove pseudo-end markers from http.cookies. 2009-09-04 08:22:00 +00:00
Senthil Kumaran
3e2ea79bda Fixing the issue4860. Escaping the embedded '"' in the js_output method of Morsel class. 2009-04-02 03:02:03 +00:00