-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Description
Describe the bug
Cookie values after a double quote "
are not parsed. All subsequent cookies in the request are silently dropped.
To Reproduce
- setup the following simple aiohttp server:
#!/usr/bin/env python
from aiohttp import web
import json
async def hello(request):
return web.Response(text=str(request.cookies))
app = web.Application()
app.add_routes([web.get("/", hello)])
web.run_app(app)
- run the server
- make a request like this which has cookies with a double quote in the value:
curl http://localhost:8080 -H 'Cookie: baz="qux; foo=bar;'
- notice that the response body/cookies are empty not
{'baz'='"qux', 'foo': 'bar'}
Expected behavior
cookie value would be parsed and returned with a double quote in the value, subsequent cookies would also not be silently dropped
Logs/tracebacks
correct behavior
> curl http://localhost:8080 -H 'Cookie: foo=bar;'
{'foo': 'bar'}
> curl http://localhost:8080 -H 'Cookie: foo=bar; baz=qux;'
{'foo': 'bar', 'baz': 'qux'}
> curl http://localhost:8080 -H 'Cookie: foo=bar; baz=qux; foo2=bar2'
{'foo': 'bar', 'baz': 'qux', 'foo2': 'bar2'}
the bug:
> curl http://localhost:8080 -H 'Cookie: foo=bar; baz="qux; foo2=bar2'
{'foo': 'bar'}
Python Version
$ python --version
Python 3.11.5
aiohttp Version
$ python -m pip show aiohttp
Name: aiohttp
Version: 3.9.1
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author:
Author-email:
License: Apache 2
Location: /Users/nick/.asdf/installs/python/3.11.5/lib/python3.11/site-packages
Requires: aiosignal, attrs, frozenlist, multidict, yarl
Required-by: openai
multidict Version
$ python -m pip show multidict
Name: multidict
Version: 6.0.4
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache 2
Location: /Users/nick/.asdf/installs/python/3.11.5/lib/python3.11/site-packages
Requires:
Required-by: aiohttp, yarl
yarl Version
$ python -m pip show yarl
Name: yarl
Version: 1.9.4
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache-2.0
Location: /Users/nick/.asdf/installs/python/3.11.5/lib/python3.11/site-packages
Requires: idna, multidict
Required-by: aiohttp
OS
macos 14.1.1 (23B81)
Related component
Server
Additional context
We recently deployed a service using aiohttp and noticed that some users would be "logged in" i.e. have a valid session by our main server (webapp2), and not be logged in on our async aiohttp server. It was really hard to narrow down the specfic issue but eventually we found that a requests with a cookie value containing json before our session cookie would cause the user to appear logged out to our aiohttp server
other servers handle the data more robustly for example flask, will correctly parse the 2nd cookie and cookies after it:
#!/usr/bin/env python3
from flask import Flask, request
app = Flask(__name__)
@app.route("/")
def hello():
return str(request.cookies)
def main():
app.run(debug=True)
if __name__ == '__main__':
main()
Code of Conduct
- I agree to follow the aio-libs Code of Conduct