Brian Sutherland wrote:
On Wed, May 03, 2006 at 01:32:49AM +0200, Daniel Nouri wrote:
So, after talking to philiKON and jinty on IRC, I wrote this rather kludgy test that shows that there's a problem with the current implementation of testbrowser in Five and cookies.
Attached is a patch that contains both the test and the fix. Note that I couldn't find the time to write a test for Zope 3 that would show that the Zope 3 setup does *not* eat away your cookies. jinty suggested I should do that, but I think the included test makes things clear enough.
I just wanted an example of what Zope3 does, but was too lazy to find one myself. But yeah, your test makes it absolutely clear to me that this is a bug we need to fix. I'll commit your patch (or something like it) to the trunk and Five 1.4 branches.
Sometimes it's easier to understand tests than patches or english.
+ >>> response = self.publish('/test_folder_1_') + >>> print str(response) # doctest: +ELLIPSIS + Status: 200 OK + X-Powered-By: Zope (www.zope.org), Python (www.python.org) + Content-Length: 0 + Set-Cookie: evil="cookie"
Interesting, Zope3 does not put quotes around cookie values, but Zope2 always does. I wonder which is right?
Zope 2 was wrong (and it's been reported a number of time that it sometimes prevent interoperability with other systems) but changing it would break too much Zope 3 apps. Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com