accept signed integers in cookie max-age when computing expiry#1872
Open
HrachShah wants to merge 2 commits into
Open
accept signed integers in cookie max-age when computing expiry#1872HrachShah wants to merge 2 commits into
HrachShah wants to merge 2 commits into
Conversation
added 2 commits
May 29, 2026 01:43
…ss.run raises OSError when the executable is missing or has permission issues; catching all Exception masked this specific failure
_max_age_to_expires gates the max-age value with str.isdigit() (and previously also rejected a leading '+'), which only matches strictly positive base-10 integers. Per RFC 6265 § 5.2.2 a negative max-age indicates the cookie expired N seconds in the past and should be treated as already-expired, so the current gate silently drops the attribute for any "Max-Age=-300" or similar. The replacement regex accepts an optional leading '-' or '+' followed by one or more digits, then int()'s the captured value so the resulting expires is correctly in the past for negative input and in the future for positive input. Bare '-' or other garbage is still ignored, matching the previous behavior. float() was also swapped for int() to avoid fractional expiry times for a property that is always an integer in spec, and to keep the regex+int pipeline straightforward. Adds test_get_expired_cookies_handles_signed_max_age with five parametrized cases: negative, positive-in-future, positive-in-past (now=100 vs max-age=10), max-age=0 boundary, and a bare '-' that should be ignored rather than raising.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
get_expired_cookies/_max_age_to_expiresgates the max-age value withstr.isdigit(), which only matches strictly positive base-10 integers. Per RFC 6265 § 5.2.2, a negative max-age indicates the cookie expired N seconds in the past and should be treated as already-expired, so the current gate silently drops the attribute for anyMax-Age=-300(or other negative) value.Repro
Fix
_max_age_to_expiresnow uses a small^([-+]?)(\d+)$regex instead ofstr.isdigit(), andint()s the captured value. Theremodule is already imported at the top ofutils.py, andintis preferable tofloatfor an attribute that is always an integer in spec. Bare-or other non-numeric input is still ignored, matching the previous behavior.Tests
Adds
test_get_expired_cookies_handles_signed_max_agewith five parametrized cases: negative, positive-in-future, positive-in-past (now=100 vs max-age=10), max-age=0 boundary, and a bare-that should be ignored rather than raising.All 10 expired-cookie tests pass; the 18 pre-existing failures elsewhere in the suite are unchanged.