durusmail: quixote-users: Quoting! Yay!
Quoting! Yay!
2004-04-22
Quoting! Yay!
Evan LaForge
2004-04-22
Just because everyone loves quoting so much, I suggest the following patch,
to 1.0b1:

*** session.py  Mon Apr 12 11:52:00 2004
--- session.py.new      Thu Apr 22 13:02:23 2004
***************
*** 28,33 ****
--- 28,34 ----

  from quixote import get_publisher
  from quixote.errors import SessionError
+ import quixote.html

  try:
      # /dev/urandom is just as good as /dev/random for cookies (assuming
***************
*** 345,351 ****
          if config.session_cookie_path:
              path = config.session_cookie_path
          else:
!             path = request.environ['SCRIPT_NAME']
              if not path.endswith("/"):
                  path += "/"
          domain = config.session_cookie_domain
--- 346,352 ----
          if config.session_cookie_path:
              path = config.session_cookie_path
          else:
!             path = quixote.html.url_quote(request.environ['SCRIPT_NAME'])
              if not path.endswith("/"):
                  path += "/"
          domain = config.session_cookie_domain

This is because browsers (well, my browser) set SCRIPT_NAME to the unquoted
path, and consider a cookie with a path of '/~me/' different from '/%7Eme/'.
So if your app properly url-quotes its paths, it's not going to get the cookie
if session_cookie_path = None.

If there are browsers that set SCRIPT_NAME already quoted, then I don't know
what to do in the face of paths with '%' in them.

I also recommend changing the the urllib.quote in http_request.py to
quixote.html.url_quote, just so there's a single point of entry for url
quoting.

As an aside, is urllib ever justified in quoting '~'?  It makes common paths
ugly and humans always use '~', and in the light of cookie sensitivity,
your session can suddenly stop working when you type in an url or come from
a human written link that uses '~'.


reply