Skip to content

Optimize _WS_EXT_RE backtracking on Python 3.11+#12346

Open
HarshithReddy01 wants to merge 7 commits intoaio-libs:masterfrom
HarshithReddy01:fix-connection-leak
Open

Optimize _WS_EXT_RE backtracking on Python 3.11+#12346
HarshithReddy01 wants to merge 7 commits intoaio-libs:masterfrom
HarshithReddy01:fix-connection-leak

Conversation

@HarshithReddy01
Copy link
Copy Markdown

@HarshithReddy01 HarshithReddy01 commented Apr 9, 2026

What do these changes do?

This change optimizes WebSocket extension parsing in aiohttp/_websocket/helpers.py by using an atomic outer group for Python 3.11+ in _WS_EXT_RE.

The previous pattern used a repeating outer non-atomic group: (?:;\s*(?:...))*.
With many valid extension tokens followed by an invalid suffix, regex matching could spend extra time backtracking across prior iterations before failing.

On Python 3.11+, the outer group is changed to atomic (?>...)*, which prevents that backtracking path while preserving the same matching intent.
On Python 3.10 and lower, behavior is unchanged because atomic groups are not supported there.

Are there changes in behavior for the user?

No user-facing behavior change is intended.

Accepted/rejected extension strings remain the same for valid inputs.
This is a performance-oriented change focused on reducing worst-case backtracking on failing matches.

Is it a substantial burden for the maintainers to support this?

No.

The implementation is a small version-gated regex compile-time branch, with both variants kept structurally identical except for the atomic-group syntax on 3.11+.

Related issue number

Discussed in GHSA-qhr8-wxhx-9q9w (closed).
This PR is submitted as a performance improvement, not a security fix/CVE claim.

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • Add a new news fragment into the CHANGES/ folder

Harshith Reddy added 2 commits April 9, 2026 08:28
Optimize websocket extension regex backtracking behavior
86edaba 
Use an atomic group for Python 3.11+ in websocket extension parsing and add focused tests to validate behavior and guard against worst-case backtracking regressions.
Add contributor entry and changelog fragment
ed7bc48 
Include contributor attribution and a misc changelog note for the websocket extension regex optimization change.
@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Apr 9, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2026
View reviewed changes
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq bot commented Apr 9, 2026
edited
Loading

Merging this PR will not alter performance

✅ 61 untouched benchmarks
⏩ 4 skipped benchmarks1

Comparing HarshithReddy01:fix-connection-leak (9347ca3) with master (fc67cfd)

Open in CodSpeed

Footnotes

  1. 4 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026
edited
Loading

❌ 3 Tests Failed:

Tests completed Failed Passed Skipped
4419 3 4416 106
View the top 1 failed test(s) by shortest run time 
tests.test_cookie_helpers::test_parse_set_cookie_headers_uses_unquote_with_octal[complex="\\042quoted\\042 text with \\012 newline"-complex-"quoted" text with \n newline-"\\042quoted\\042 text with \\012 newline"]
Stack Traces | 0.007s run time 
header = 'complex="\\042quoted\\042 text with \\012 newline"'
expected_name = 'complex', expected_value = '"quoted" text with \n newline'
expected_coded = '"\\042quoted\\042 text with \\012 newline"'

    #x1B[0m#x1B[37m@pytest#x1B[39;49;00m.mark.parametrize(#x1B[90m#x1B[39;49;00m
        (#x1B[33m"#x1B[39;49;00m#x1B[33mheader#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_name#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_value#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_coded#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
        [#x1B[90m#x1B[39;49;00m
            #x1B[90m# Test cookie values with octal escape sequences#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
            (#x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mname=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mname#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33mnewline#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mtab=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mtab#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mseparated#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mvalues#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mmixed=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mmixed#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mhello world!#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mcomplex=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mcomplex#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mquoted#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m text with #x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m newline#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
        ],#x1B[90m#x1B[39;49;00m
    )#x1B[90m#x1B[39;49;00m
    #x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92mtest_parse_set_cookie_headers_uses_unquote_with_octal#x1B[39;49;00m(#x1B[90m#x1B[39;49;00m
        header: #x1B[96mstr#x1B[39;49;00m, expected_name: #x1B[96mstr#x1B[39;49;00m, expected_value: #x1B[96mstr#x1B[39;49;00m, expected_coded: #x1B[96mstr#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
    ) -> #x1B[94mNone#x1B[39;49;00m:#x1B[90m#x1B[39;49;00m
    #x1B[90m    #x1B[39;49;00m#x1B[33m"""Test that parse_set_cookie_headers correctly unquotes values with octal sequences and preserves coded_value."""#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
>       result = parse_set_cookie_headers([header])#x1B[90m#x1B[39;49;00m
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#x1B[90m#x1B[39;49;00m

expected_coded = '"\\042quoted\\042 text with \\012 newline"'
expected_name = 'complex'
expected_value = '"quoted" text with \n newline'
header     = 'complex="\\042quoted\\042 text with \\012 newline"'

#x1B[1m#x1B[31mtests/test_cookie_helpers.py#x1B[0m:1124: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
#x1B[1m#x1B[31maiohttp/_cookie_helpers.py#x1B[0m:330: in parse_set_cookie_headers
    #x1B[0mcurrent_morsel.__setstate__(  #x1B[90m# type: ignore[attr-defined]#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
        current_morsel = <Morsel: None=None>
        header     = 'complex="\\042quoted\\042 text with \\012 newline"'
        headers    = ['complex="\\042quoted\\042 text with \\012 newline"']
        i          = 47
        key        = 'complex'
        lower_key  = 'complex'
        match      = <re.Match object; span=(0, 47), match='complex="\\042quoted\\042 text with \\012 newline>
        morsel_seen = False
        n          = 47
        parsed_cookies = []
        value      = '"\\042quoted\\042 text with \\012 newline"'
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <Morsel: None=None>
state = {'coded_value': '"\\042quoted\\042 text with \\012 newline"', 'key': 'complex', 'value': '"quoted" text with \n newline'}

    #x1B[0m#x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92m__setstate__#x1B[39;49;00m(#x1B[96mself#x1B[39;49;00m, state):#x1B[90m#x1B[39;49;00m
        key = state[#x1B[33m'#x1B[39;49;00m#x1B[33mkey#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mvalue#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        coded_value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mcoded_value#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        #x1B[94mif#x1B[39;49;00m _has_control_character(key, value, coded_value):#x1B[90m#x1B[39;49;00m
>           #x1B[94mraise#x1B[39;49;00m CookieError(#x1B[33m"#x1B[39;49;00m#x1B[33mControl characters are not allowed in cookies #x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
                              #x1B[33mf#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m{#x1B[39;49;00mkey#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mvalue#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mcoded_value#x1B[33m!r}#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m)#x1B[90m#x1B[39;49;00m
#x1B[1m#x1B[31mE           http.cookies.CookieError: Control characters are not allowed in cookies 'complex' '"quoted" text with \n newline' '"\\042quoted\\042 text with \\012 newline"'#x1B[0m

coded_value = '"\\042quoted\\042 text with \\012 newline"'
key        = 'complex'
self       = <Morsel: None=None>
state      = {'coded_value': '"\\042quoted\\042 text with \\012 newline"', 'key': 'complex', 'value': '"quoted" text with \n newline'}
value      = '"quoted" text with \n newline'

#x1B[1m#x1B[.../hostedtoolcache/Python/3.14.4.../x64-freethreaded/lib/python3.14t/http/cookies.py#x1B[0m:379: CookieError
View the full list of 2 ❄️ flaky test(s) 
tests.test_cookie_helpers::test_parse_set_cookie_headers_uses_unquote_with_octal[name="\\012newline\\012"-name-\nnewline\n-"\\012newline\\012"]

Flake rate in main: 9.09% (Passed 10 times, Failed 1 times)

Stack Traces | 0.007s run time 
header = 'name="\\012newline\\012"', expected_name = 'name'
expected_value = '\nnewline\n', expected_coded = '"\\012newline\\012"'

    #x1B[0m#x1B[37m@pytest#x1B[39;49;00m.mark.parametrize(#x1B[90m#x1B[39;49;00m
        (#x1B[33m"#x1B[39;49;00m#x1B[33mheader#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_name#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_value#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_coded#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
        [#x1B[90m#x1B[39;49;00m
            #x1B[90m# Test cookie values with octal escape sequences#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
            (#x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mname=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mname#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33mnewline#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mtab=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mtab#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mseparated#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mvalues#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mmixed=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mmixed#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mhello world!#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mcomplex=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mcomplex#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mquoted#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m text with #x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m newline#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
        ],#x1B[90m#x1B[39;49;00m
    )#x1B[90m#x1B[39;49;00m
    #x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92mtest_parse_set_cookie_headers_uses_unquote_with_octal#x1B[39;49;00m(#x1B[90m#x1B[39;49;00m
        header: #x1B[96mstr#x1B[39;49;00m, expected_name: #x1B[96mstr#x1B[39;49;00m, expected_value: #x1B[96mstr#x1B[39;49;00m, expected_coded: #x1B[96mstr#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
    ) -> #x1B[94mNone#x1B[39;49;00m:#x1B[90m#x1B[39;49;00m
    #x1B[90m    #x1B[39;49;00m#x1B[33m"""Test that parse_set_cookie_headers correctly unquotes values with octal sequences and preserves coded_value."""#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
>       result = parse_set_cookie_headers([header])#x1B[90m#x1B[39;49;00m
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#x1B[90m#x1B[39;49;00m

expected_coded = '"\\012newline\\012"'
expected_name = 'name'
expected_value = '\nnewline\n'
header     = 'name="\\012newline\\012"'

#x1B[1m#x1B[31mtests/test_cookie_helpers.py#x1B[0m:1124: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
#x1B[1m#x1B[31maiohttp/_cookie_helpers.py#x1B[0m:330: in parse_set_cookie_headers
    #x1B[0mcurrent_morsel.__setstate__(  #x1B[90m# type: ignore[attr-defined]#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
        current_morsel = <Morsel: None=None>
        header     = 'name="\\012newline\\012"'
        headers    = ['name="\\012newline\\012"']
        i          = 22
        key        = 'name'
        lower_key  = 'name'
        match      = <re.Match object; span=(0, 22), match='name="\\012newline\\012"'>
        morsel_seen = False
        n          = 22
        parsed_cookies = []
        value      = '"\\012newline\\012"'
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <Morsel: None=None>
state = {'coded_value': '"\\012newline\\012"', 'key': 'name', 'value': '\nnewline\n'}

    #x1B[0m#x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92m__setstate__#x1B[39;49;00m(#x1B[96mself#x1B[39;49;00m, state):#x1B[90m#x1B[39;49;00m
        key = state[#x1B[33m'#x1B[39;49;00m#x1B[33mkey#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mvalue#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        coded_value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mcoded_value#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        #x1B[94mif#x1B[39;49;00m _has_control_character(key, value, coded_value):#x1B[90m#x1B[39;49;00m
>           #x1B[94mraise#x1B[39;49;00m CookieError(#x1B[33m"#x1B[39;49;00m#x1B[33mControl characters are not allowed in cookies #x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
                              #x1B[33mf#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m{#x1B[39;49;00mkey#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mvalue#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mcoded_value#x1B[33m!r}#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m)#x1B[90m#x1B[39;49;00m
#x1B[1m#x1B[31mE           http.cookies.CookieError: Control characters are not allowed in cookies 'name' '\nnewline\n' '"\\012newline\\012"'#x1B[0m

coded_value = '"\\012newline\\012"'
key        = 'name'
self       = <Morsel: None=None>
state      = {'coded_value': '"\\012newline\\012"', 'key': 'name', 'value': '\nnewline\n'}
value      = '\nnewline\n'

#x1B[1m#x1B[.../hostedtoolcache/Python/3.14.4.../x64-freethreaded/lib/python3.14t/http/cookies.py#x1B[0m:379: CookieError
tests.test_cookie_helpers::test_parse_set_cookie_headers_uses_unquote_with_octal[tab="\\011separated\\011values"-tab-\tseparated\tvalues-"\\011separated\\011values"]

Flake rate in main: 4.76% (Passed 20 times, Failed 1 times)

Stack Traces | 0.006s run time 
header = 'tab="\\011separated\\011values"', expected_name = 'tab'
expected_value = '\tseparated\tvalues'
expected_coded = '"\\011separated\\011values"'

    #x1B[0m#x1B[37m@pytest#x1B[39;49;00m.mark.parametrize(#x1B[90m#x1B[39;49;00m
        (#x1B[33m"#x1B[39;49;00m#x1B[33mheader#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_name#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_value#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mexpected_coded#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
        [#x1B[90m#x1B[39;49;00m
            #x1B[90m# Test cookie values with octal escape sequences#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
            (#x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mname=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33mname#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33m"#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33mnewline#x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m, #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012newline#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mtab=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mtab#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mseparated#x1B[39;49;00m#x1B[33m\t#x1B[39;49;00m#x1B[33mvalues#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011separated#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m011values#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mmixed=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mmixed#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mhello world!#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mhello#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m040world#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m041#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
            (#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33mcomplex=#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m"#x1B[39;49;00m#x1B[33mcomplex#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33mquoted#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m text with #x1B[39;49;00m#x1B[33m\n#x1B[39;49;00m#x1B[33m newline#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
                #x1B[33mr#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042quoted#x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m042 text with #x1B[39;49;00m#x1B[33m\#x1B[39;49;00m#x1B[33m012 newline#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m,#x1B[90m#x1B[39;49;00m
            ),#x1B[90m#x1B[39;49;00m
        ],#x1B[90m#x1B[39;49;00m
    )#x1B[90m#x1B[39;49;00m
    #x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92mtest_parse_set_cookie_headers_uses_unquote_with_octal#x1B[39;49;00m(#x1B[90m#x1B[39;49;00m
        header: #x1B[96mstr#x1B[39;49;00m, expected_name: #x1B[96mstr#x1B[39;49;00m, expected_value: #x1B[96mstr#x1B[39;49;00m, expected_coded: #x1B[96mstr#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
    ) -> #x1B[94mNone#x1B[39;49;00m:#x1B[90m#x1B[39;49;00m
    #x1B[90m    #x1B[39;49;00m#x1B[33m"""Test that parse_set_cookie_headers correctly unquotes values with octal sequences and preserves coded_value."""#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
>       result = parse_set_cookie_headers([header])#x1B[90m#x1B[39;49;00m
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#x1B[90m#x1B[39;49;00m

expected_coded = '"\\011separated\\011values"'
expected_name = 'tab'
expected_value = '\tseparated\tvalues'
header     = 'tab="\\011separated\\011values"'

#x1B[1m#x1B[31mtests/test_cookie_helpers.py#x1B[0m:1124: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
#x1B[1m#x1B[31maiohttp/_cookie_helpers.py#x1B[0m:330: in parse_set_cookie_headers
    #x1B[0mcurrent_morsel.__setstate__(  #x1B[90m# type: ignore[attr-defined]#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
        current_morsel = <Morsel: None=None>
        header     = 'tab="\\011separated\\011values"'
        headers    = ['tab="\\011separated\\011values"']
        i          = 29
        key        = 'tab'
        lower_key  = 'tab'
        match      = <re.Match object; span=(0, 29), match='tab="\\011separated\\011values"'>
        morsel_seen = False
        n          = 29
        parsed_cookies = []
        value      = '"\\011separated\\011values"'
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <Morsel: None=None>
state = {'coded_value': '"\\011separated\\011values"', 'key': 'tab', 'value': '\tseparated\tvalues'}

    #x1B[0m#x1B[94mdef#x1B[39;49;00m#x1B[90m #x1B[39;49;00m#x1B[92m__setstate__#x1B[39;49;00m(#x1B[96mself#x1B[39;49;00m, state):#x1B[90m#x1B[39;49;00m
        key = state[#x1B[33m'#x1B[39;49;00m#x1B[33mkey#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mvalue#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        coded_value = state[#x1B[33m'#x1B[39;49;00m#x1B[33mcoded_value#x1B[39;49;00m#x1B[33m'#x1B[39;49;00m]#x1B[90m#x1B[39;49;00m
        #x1B[94mif#x1B[39;49;00m _has_control_character(key, value, coded_value):#x1B[90m#x1B[39;49;00m
>           #x1B[94mraise#x1B[39;49;00m CookieError(#x1B[33m"#x1B[39;49;00m#x1B[33mControl characters are not allowed in cookies #x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
                              #x1B[33mf#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m#x1B[33m{#x1B[39;49;00mkey#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mvalue#x1B[33m!r}#x1B[39;49;00m#x1B[33m #x1B[39;49;00m#x1B[33m{#x1B[39;49;00mcoded_value#x1B[33m!r}#x1B[39;49;00m#x1B[33m"#x1B[39;49;00m)#x1B[90m#x1B[39;49;00m
#x1B[1m#x1B[31mE           http.cookies.CookieError: Control characters are not allowed in cookies 'tab' '\tseparated\tvalues' '"\\011separated\\011values"'#x1B[0m

coded_value = '"\\011separated\\011values"'
key        = 'tab'
self       = <Morsel: None=None>
state      = {'coded_value': '"\\011separated\\011values"', 'key': 'tab', 'value': '\tseparated\tvalues'}
value      = '\tseparated\tvalues'

#x1B[1m#x1B[.../hostedtoolcache/Python/3.14.4.../x64-freethreaded/lib/python3.14t/http/cookies.py#x1B[0m:379: CookieError

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

webknjaz
webknjaz reviewed Apr 9, 2026
View reviewed changes
Dreamsorcerer
Dreamsorcerer reviewed Apr 9, 2026
View reviewed changes
tests/test_ws_ext_helpers.py Outdated
Comment on lines +14 to +38
def test_permessage_deflate_only(self) -> None:
compress, notakeover = ws_ext_parse("permessage-deflate")
assert compress == 15
assert notakeover is False

def test_server_no_context_takeover(self) -> None:
compress, notakeover = ws_ext_parse(
"permessage-deflate; server_no_context_takeover", isserver=True
)
assert compress == 15
assert notakeover is True

def test_client_no_context_takeover(self) -> None:
compress, notakeover = ws_ext_parse(
"permessage-deflate; client_no_context_takeover", isserver=False
)
assert compress == 15
assert notakeover is True

def test_server_max_window_bits(self) -> None:
compress, notakeover = ws_ext_parse(
"permessage-deflate; server_max_window_bits=12", isserver=True
)
assert compress == 12
assert notakeover is False
Copy link
Copy Markdown
Member

@Dreamsorcerer Dreamsorcerer Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's parametrize these. So, one test that looks something like:

@pytest.mark.parametrize(
    ("msg", "server", "expected"),
    (
        ("permessage-defalt", False, (15, False)),
        ...
    )
)
def test_ws_ext_parser(msg: str, server: bool, expected: tuple[int, bool]) -> None:
    assert ws_ext_parser(msg, isserver=server) == expected

Dreamsorcerer
Dreamsorcerer reviewed Apr 9, 2026
View reviewed changes
tests/test_ws_ext_helpers.py Outdated
# Without the atomic group fix this causes exponential backtracking.
evil = "permessage-deflate" + ("; server_no_context_takeover" * 30) + ";INVALID"
start = time.perf_counter()
try:
Copy link
Copy Markdown
Member

@Dreamsorcerer Dreamsorcerer Apr 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than ignoring an exception, we can verify that it occurs:

Suggested change
try:
with pytest.raises(WSHandShakeError):

@HarshithReddy01
Copy link
Copy Markdown
Author

HarshithReddy01 commented Apr 9, 2026

The Test (ubuntu, 3.14t, false) failure is pre-existing on master and unrelated to this PR, it's test_parse_set_cookie_headers_uses_unquote_with_octal failing due to Python 3.14t's new strict control character check in http.cookies.Morsel. The fail-fast strategy cancelled all other jobs. Happy to rerun CI once confirmed.

@Dreamsorcerer
Copy link
Copy Markdown
Member

Dreamsorcerer commented Apr 9, 2026

The Test (ubuntu, 3.14t, false) failure is pre-existing on master and unrelated to this PR, it's test_parse_set_cookie_headers_uses_unquote_with_octal failing due to Python 3.14t's new strict control character check in http.cookies.Morsel. The fail-fast strategy cancelled all other jobs. Happy to rerun CI once confirmed.

Yeah, it's a security patch to 3.14 that's broken it. We'll need to sort a separate PR for that shortly.

@Dreamsorcerer Dreamsorcerer added the backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot label Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@webknjaz webknjaz webknjaz left review comments

@Dreamsorcerer Dreamsorcerer Dreamsorcerer approved these changes

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot bot:chronographer:provided There is a change note present in this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HarshithReddy01 @Dreamsorcerer @webknjaz @github-advanced-security