fix(cookies): allow more characters in cookie names, as defined by more recent RFCs (#490)

Python's http.cookies library is very strict, and throws an
exception when a cookie-name violates older RFC definitions of
the name. This is reflected back as a 500. But the user has no
indication that he was the cause of it.

More recent RFCs seem to allow for more characters, which is also
reflected in the http.cookies library, but not used. So switch to
that more relaxed definition of valid cookie name.

Still, illegal names should not return 500 in aiohttp, but that
is a problem for another time.

Author: TrueBrain

truewiki/__main__.py

@@ -2,9 +2,11 @@
 import click
 import logging
 import os
+import re
 
 from aiohttp import web
 from aiohttp.web_log import AccessLogger
+from http import cookies
 from openttd_helpers import click_helper
 from openttd_helpers.logging_helper import click_logging
 from openttd_helpers.sentry_helper import click_sentry
@@ -58,6 +60,19 @@
 REMOTE_IP_HEADER = None
 
 
+# Monkey-patch the http.cookies library, as it is considering certain
+# cookie-names invalid, which happen in the real world. It throws an exception
+# in those cases, causing a 500. But the user can do absolutely nothing about
+# having a cookie the browser considers valid. aiohttp should honestly handle
+# that more gracefully, but it doesn't.
+# There is a bit of discussion what cookie-names are actually allowed, but
+# more recent RFCs allow for more characters. So we monkey-patch that in.
+#
+# See https://github.com/aio-libs/aiohttp/issues/2683 for more details.
+#
+cookies._is_legal_key = re.compile("[%s]+" % re.escape(cookies._UnescapedChars)).fullmatch
+
+
 class ErrorOnlyAccessLogger(AccessLogger):
     def log(self, request, response, time):
         # Only log if the status was not successful