From: Nick Burns <nburns@users.noreply.github.com>
Date: Fri, 8 Aug 2025 19:07:15 +0000 (-0700)
Subject: gh-92936: allow double quote in cookie values (#113663)
X-Git-Tag: v3.15.0a1~733
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d7dbde895884d58e3da7ed4107fd33171afad7cb;p=thirdparty%2FPython%2Fcpython.git

gh-92936: allow double quote in cookie values (#113663)

* allow double quote in cookie values
* Update Lib/test/test_http_cookies.py

Co-authored-by: Senthil Kumaran <senthil@python.org>
---

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 694b1b09a056..74349bb63d66 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -426,7 +426,7 @@ _CookiePattern = re.compile(r"""
     (                              # Optional group: there may not be a value.
     \s*=\s*                          # Equal Sign
     (?P<val>                         # Start of group 'val'
-    "(?:[^\\"]|\\.)*"                  # Any double-quoted string
+    "(?:\\"|.)*?"                    # Any double-quoted string
     |                                  # or
     # Special case for "expires" attr
     (\w{3,6}day|\w{3}),\s              # Day of the week or abbreviated day
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 2fbc142de2fd..c2ed30831b2e 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -48,6 +48,29 @@ class CookieTests(unittest.TestCase):
                     'Set-Cookie: d=r',
                     'Set-Cookie: f=h'
                 ))
+            },
+
+            # gh-92936: allow double quote in cookie values
+            {
+                'data': 'cookie="{"key": "value"}"',
+                'dict': {'cookie': '{"key": "value"}'},
+                'repr': "<SimpleCookie: cookie='{\"key\": \"value\"}'>",
+                'output': 'Set-Cookie: cookie="{"key": "value"}"',
+            },
+            {
+                'data': 'key="some value; surrounded by quotes"',
+                'dict': {'key': 'some value; surrounded by quotes'},
+                'repr': "<SimpleCookie: key='some value; surrounded by quotes'>",
+                'output': 'Set-Cookie: key="some value; surrounded by quotes"',
+            },
+            {
+                'data': 'session="user123"; preferences="{"theme": "dark"}"',
+                'dict': {'session': 'user123', 'preferences': '{"theme": "dark"}'},
+                'repr': "<SimpleCookie: preferences='{\"theme\": \"dark\"}' session='user123'>",
+                'output': '\n'.join((
+                    'Set-Cookie: preferences="{"theme": "dark"}"',
+                    'Set-Cookie: session="user123"',
+                ))
             }
         ]
 
diff --git a/Misc/NEWS.d/next/Library/2025-08-08-21-20-14.gh-issue-92936.rOgG1S.rst b/Misc/NEWS.d/next/Library/2025-08-08-21-20-14.gh-issue-92936.rOgG1S.rst
new file mode 100644
index 000000000000..906c442b64f4
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-08-08-21-20-14.gh-issue-92936.rOgG1S.rst
@@ -0,0 +1,2 @@
+Update regex used by ``http.cookies.SimpleCookie`` to handle values containing
+double quotes.