Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies starting with quotation marks get mangled #414

Open
vevv opened this issue Oct 22, 2024 · 6 comments
Open

Cookies starting with quotation marks get mangled #414

vevv opened this issue Oct 22, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@vevv
Copy link

vevv commented Oct 22, 2024

v0.7.3:
Cookies which start with quotation marks, e.g. "value", get stripped and are sent as value.

@vevv vevv added the bug Something isn't working label Oct 22, 2024
@lexiforest
Copy link
Owner

lexiforest commented Oct 22, 2024

If I understand correctly, this is what the RFC states:

cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

DQUOTE(") is not a valid cookie value, actually. If your target does not follow the RFC, you have to find out how it escapes the quotes and follow the same pattern.

@lexiforest lexiforest added question Ask for help or clarification and removed bug Something isn't working labels Oct 22, 2024
@vevv
Copy link
Author

vevv commented Oct 22, 2024

Well, I don't really know what to tell you. If I look at the headers requests is sending, they have quotation marks at the start/front, as do the values shown in browser dev tools.

I found this while investigating a larger issue where a certain POST request just wouldn't go through, and comparing curl_cffi and requests in Fiddler, this was the only difference.

@perklet
Copy link
Collaborator

perklet commented Oct 22, 2024 via email

@vevv
Copy link
Author

vevv commented Oct 22, 2024

I can't easily provide any example snippets, it's authenticating with a service. I can confirm that adding the quotes in Fiddler to the curl request makes it work, it's the only difference.

And I apologize for not following the template, but it's the third time today where I ran into an issue I can't easily debug (because I do not control the remote server), where it's curl_cffi silently modifying requests in a way that prevents them from working, it's extremely frustrating.

@vevv
Copy link
Author

vevv commented Oct 22, 2024

from curl_cffi import requests

session = requests.Session()
resp = session.get('https://httpbin.org/cookies/set/test/"quoted"')
print(f'httpbin: {resp.json()} <-- appears quoted correctly')
print(f'resp: {resp.cookies} <-- appears quoted correctly')
print(f'store: {session.cookies} <-- appears quoted correctly')

print()
resp = session.get('https://httpbin.dev')
print(f'store: {session.cookies} <-- after making a request (even to an unrelated site), it gets mangled')

print()
resp = session.get('https://httpbin.org/cookies/set/test2/unquoted')
print(f'resp: {resp.cookies} <-- incorrect')
print(f'store: {session.cookies} <-- incorrect')

print()
resp = session.get('https://httpbin.org/cookies')
print(f'httpbin: {resp.json()} <-- incorrect')

This demonstrates it well.

@lexiforest
Copy link
Owner

I see. It seems that the escaped quoted cookies got unquoted twice. Something like this is needed.

@lexiforest lexiforest added bug Something isn't working and removed question Ask for help or clarification labels Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants