web: Restore case-insensitivity of set_cookie args

This was an unintended feature that got broken in #3224. Bring it back
for now but deprecate it for future cleanup.

Fixes #3252

diff --git a/docs/releases.rst b/docs/releases.rst
index 9cfe0666a2a7a4ad3daec0ed751a5b07c524fb1d..dd53b12ffed2d0d6896386bd4287548a49a7a05d 100644 (file)
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.3.1
    releases/v6.3.0
    releases/v6.2.0
    releases/v6.1.0

diff --git a/docs/releases/v6.3.1.rst b/docs/releases/v6.3.1.rst
new file mode 100644 (file)
index 0000000..11886d0
--- /dev/null
+++ b/docs/releases/v6.3.1.rst
@@ -0,0 +1,12 @@
+What's new in Tornado 6.3.1
+===========================
+
+Apr 21, 2023
+------------
+
+``tornado.web``
+~~~~~~~~~~~~~~~
+
+- `.RequestHandler.set_cookie` once again accepts capitalized keyword arguments
+  for backwards compatibility. This is deprecated and in Tornado 7.0 only lowercase
+  arguments will be accepted. 
\ No newline at end of file

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 4b25456865a37180304bb4cab07d3f6899984644..c2d057c5389b8029d553244d7b8db8886e9b24c3 100644 (file)
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -17,6 +17,7 @@ from tornado.log import app_log, gen_log
 from tornado.simple_httpclient import SimpleAsyncHTTPClient
 from tornado.template import DictLoader
 from tornado.testing import AsyncHTTPTestCase, AsyncTestCase, ExpectLog, gen_test
+from tornado.test.util import ignore_deprecation
 from tornado.util import ObjectDict, unicode_type
 from tornado.web import (
     Application,
@@ -318,6 +319,11 @@ class CookieTest(WebTestCase):
                 self.set_cookie("c", "1", httponly=True)
                 self.set_cookie("d", "1", httponly=False)
 
+        class SetCookieDeprecatedArgs(RequestHandler):
+            def get(self):
+                # Mixed case is supported, but deprecated
+                self.set_cookie("a", "b", HttpOnly=True, pATH="/foo")
+
         return [
             ("/set", SetCookieHandler),
             ("/get", GetCookieHandler),
@@ -327,6 +333,7 @@ class CookieTest(WebTestCase):
             ("/set_max_age", SetCookieMaxAgeHandler),
             ("/set_expires_days", SetCookieExpiresDaysHandler),
             ("/set_falsy_flags", SetCookieFalsyFlags),
+            ("/set_deprecated", SetCookieDeprecatedArgs),
         ]
 
     def test_set_cookie(self):
@@ -413,6 +420,12 @@ class CookieTest(WebTestCase):
         self.assertEqual(headers[2].lower(), "c=1; httponly; path=/")
         self.assertEqual(headers[3].lower(), "d=1; path=/")
 
+    def test_set_cookie_deprecated(self):
+        with ignore_deprecation():
+            response = self.fetch("/set_deprecated")
+        header = response.headers.get("Set-Cookie")
+        self.assertEqual(header, "a=b; HttpOnly; Path=/foo")
+
 
 class AuthRedirectRequestHandler(RequestHandler):
     def initialize(self, login_url):

diff --git a/tornado/web.py b/tornado/web.py
index 0a4f409b8843aefe38af162fdf0a99bfcccbb0ea..3b676e3c2565e92eff491ee781807b3f42025ed4 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -79,6 +79,7 @@ import socket
 import sys
 import threading
 import time
+import warnings
 import tornado
 import traceback
 import types
@@ -607,6 +608,7 @@ class RequestHandler(object):
         httponly: bool = False,
         secure: bool = False,
         samesite: Optional[str] = None,
+        **kwargs: Any,
     ) -> None:
         """Sets an outgoing cookie name/value with the given options.
 
@@ -623,6 +625,10 @@ class RequestHandler(object):
         to set an expiration time in days from today (if both are set, ``expires``
         is used).
 
+        .. deprecated:: 6.3
+           Keyword arguments are currently accepted case-insensitively.
+           In Tornado 7.0 this will be changed to only accept lowercase
+           arguments.
         """
         # The cookie library only accepts type str, in both python 2 and 3
         name = escape.native_str(name)
@@ -657,6 +663,17 @@ class RequestHandler(object):
             morsel["secure"] = True
         if samesite:
             morsel["samesite"] = samesite
+        if kwargs:
+            # The setitem interface is case-insensitive, so continue to support
+            # kwargs for backwards compatibility until we can remove deprecated
+            # features.
+            for k, v in kwargs.items():
+                morsel[k] = v
+            warnings.warn(
+                f"Deprecated arguments to set_cookie: {set(kwargs.keys())} "
+                "(should be lowercase)",
+                DeprecationWarning,
+            )
 
     def clear_cookie(self, name: str, **kwargs: Any) -> None:
         """Deletes the cookie with the given name.