Apply escaping rules when parsing cookie values

miguelgrinberg · miguelgrinberg · commit 04e7c4dd4792 · 2025-10-18T12:56:24.000+01:00
diff --git a/src/engineio/async_client.py b/src/engineio/async_client.py
@@ -1,4 +1,5 @@
 import asyncio
+from http.cookies import SimpleCookie
 import signal
 import ssl
 import threading
@@ -319,14 +320,13 @@ async def _connect_websocket(self, url, headers, engineio_path):
 
         # extract any new cookies passed in a header so that they can also be
         # sent the the WebSocket route
-        cookies = {}
         for header, value in headers.items():
             if header.lower() == 'cookie':
-                cookies = dict(
-                    [cookie.split('=', 1) for cookie in value.split('; ')])
+                ck = SimpleCookie(headers[header])
+                self.http.cookie_jar.update_cookies(
+                    {k: m.value for k, m in ck.items()})
                 del headers[header]
                 break
-        self.http.cookie_jar.update_cookies(cookies)
 
         extra_options = {'timeout': self.request_timeout}
         if not self.ssl_verify:
diff --git a/src/engineio/client.py b/src/engineio/client.py
@@ -1,11 +1,12 @@
 from base64 import b64encode
-from engineio.json import JSONDecodeError
+from http.cookies import SimpleCookie
 import logging
 import queue
 import ssl
 import threading
 import time
 import urllib
+from engineio.json import JSONDecodeError
 
 try:
     import requests
@@ -268,8 +269,10 @@ def _connect_websocket(self, url, headers, engineio_path):
         extra_options = {}
         if self.http:
             # cookies
-            cookies = '; '.join([f"{cookie.name}={cookie.value}"
-                                 for cookie in self.http.cookies])
+            ck = SimpleCookie()
+            for cookie in self.http.cookies:
+                ck[cookie.name] = cookie.value
+            cookies = ck.output(header='', sep=';').strip()
             for header, value in headers.items():
                 if header.lower() == 'cookie':
                     if cookies:
diff --git a/tests/async/test_client.py b/tests/async/test_client.py
@@ -714,7 +714,7 @@ async def test_websocket_connection_with_cookie_header(self, _time):
             timeout=5,
         )
         c.http.cookie_jar.update_cookies.assert_called_once_with(
-            {'key': 'value', 'key2': 'value2', 'key3': '"value3="'}
+            {'key': 'value', 'key2': 'value2', 'key3': 'value3='}
         )
 
     @mock.patch('engineio.client.time.time', return_value=123.456)

Original file line number	Diff line number	Diff line change
`@@ -714,7 +714,7 @@ async def test_websocket_connection_with_cookie_header(self, _time):`
`714`	`714`	`timeout=5,`
`715`	`715`	`)`
`716`	`716`	`c.http.cookie_jar.update_cookies.assert_called_once_with(`
`717`		`- {'key': 'value', 'key2': 'value2', 'key3': '"value3="'}`
	`717`	`+ {'key': 'value', 'key2': 'value2', 'key3': 'value3='}`
`718`	`718`	`)`
`719`	`719`
`720`	`720`	`@mock.patch('engineio.client.time.time', return_value=123.456)`