Issue #26302: Correctly identify comma as an invalid character for a cookie (correcti...

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index fda02b7016bc8f510c7141cc947a6832f470cc73..dbddd6cb8c2a343fe30b47491528c2f6178f5c2c 100644 (file)
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -174,7 +174,7 @@ _Translator.update({
     ord('\\'): '\\\\',
 })
 
-_is_legal_key = re.compile('[%s]+' % _LegalChars).fullmatch
+_is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
 
 def _quote(str):
     r"""Quote a string for use in a cookie header.

diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index d3e06a452dec2fe30b56778fde61dc1ba5edd85e..2432e0bf53405708964070dfbe098b19d104ef8d 100644 (file)
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -210,6 +210,12 @@ class CookieTests(unittest.TestCase):
                 C1 = pickle.loads(pickle.dumps(C, protocol=proto))
                 self.assertEqual(C1.output(), expected_output)
 
+    def test_illegal_chars(self):
+        rawdata = "a=b; c,d=e"
+        C = cookies.SimpleCookie()
+        with self.assertRaises(cookies.CookieError):
+            C.load(rawdata)
+
 
 class MorselTests(unittest.TestCase):
     """Tests for the Morsel object."""

diff --git a/Misc/NEWS b/Misc/NEWS
index fd4ca59277ca884569b8aa27b5042f867ae70579..a0ccaef865556180996ccf0f4b9f45406767ce5d 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: tba
 Core and Builtins
 -----------------
 
+- Issue #26302: Correct behavior to reject comma as a legal character for
+  cookie names.
+
 - Issue #4806: Avoid masking the original TypeError exception when using star
   (*) unpacking in function calls.  Based on patch by Hagen Fürstenau and
   Daniel Urban.