Ensure cookies are still parsed after a malformed cookie

[bdraco]

What do these changes do?

Ensure cookies are still parsed after a malformed cookie
Browsers and nodejs cookie parser are a lot more permissive so
we should handle similar cases.

Are there changes in behavior for the user?

we can handle more real world cookies

Is it a substantial burden for the maintainers to support this?

Its pretty similar to how node.js does it and they haven't substantively changed it in a while so probably not going to require much maint burden

Related issue number

fixes #11632

[codspeed-hq]

CodSpeed Performance Report

Merging #11724 will not alter performance

_{Comparing manual_parse_cookie_fallback (2dd8d16) with master (0d77d0d)}

Summary

✅ 59 untouched

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.74%. Comparing base (6fabae5) to head (2dd8d16).
⚠️ Report is 5 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #11724    +/-   ##
========================================
  Coverage   98.73%   98.74%            
========================================
  Files         127      127            
  Lines       43558    43661   +103     
  Branches     2320     2323     +3     
========================================
+ Hits        43008    43111   +103     
+ Misses        390      389     -1     
- Partials      160      161     +1     

Flag	Coverage Δ
CI-GHA	98.61% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.35% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.67% <100.00%> (+<0.01%)	⬆️
OS-macOS	97.57% <100.00%> (+<0.01%)	⬆️
Py-3.10.11	97.11% <100.00%> (-0.01%)	⬇️
Py-3.10.18	97.62% <100.00%> (+<0.01%)	⬆️
Py-3.11.13	97.81% <100.00%> (+<0.01%)	⬆️
Py-3.11.9	97.32% <100.00%> (+<0.01%)	⬆️
Py-3.12.10	97.43% <100.00%> (+<0.01%)	⬆️
Py-3.12.11	97.92% <100.00%> (+<0.01%)	⬆️
Py-3.13.7	97.92% <100.00%> (+<0.01%)	⬆️
Py-3.13.8	?
Py-3.13.9	97.40% <100.00%> (+<0.01%)	⬆️
Py-3.14.0	98.12% <100.00%> (+<0.01%)	⬆️
Py-3.14.0t	97.20% <100.00%> (+<0.01%)	⬆️
Py-pypy3.10.16-7.3.19	94.66% <100.00%> (-1.51%)	⬇️
VM-macos	97.57% <100.00%> (+<0.01%)	⬆️
VM-ubuntu	98.35% <100.00%> (+<0.01%)	⬆️
VM-windows	96.67% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull Request Overview

This PR enhances the cookie parsing logic to handle malformed cookies more gracefully, ensuring that subsequent valid cookies are still parsed when encountering cookies that fail regex validation (such as Google's g_state cookie with unescaped quotes). This aligns the behavior more closely with how browsers and Node.js handle cookie parsing.

Key Changes

• Added fallback parsing logic when regex matching fails, attempting simple key=value extraction
• Enhanced test coverage with 7 new test cases covering large values, multiple equals signs, whitespace handling, and edge cases in the fallback parser
• Removed xfail marker from previously failing test_parse_cookie_gstate_header test

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
aiohttp/_cookie_helpers.py	Implements fallback cookie parsing logic to handle malformed cookies while preserving subsequent valid cookies
tests/test_cookie_helpers.py	Adds comprehensive test coverage for fallback parser behavior and removes xfail marker from now-passing test
docs/spelling_wordlist.txt	Adds "unescaped" to the spelling dictionary to support the bugfix changelog entry
CHANGES/11632.bugfix.rst	Documents the bug fix for malformed cookie handling

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[patchback]

Backport to 3.13: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply 82ce525 on top of patchback/backports/3.13/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724

Backporting merged PR #11724 into master

1. Ensure you have a local repo clone of your fork. Unless you cloned it
   from the upstream, this would be your origin remote.
2. Make sure you have an upstream repo added as a remote too. In these
   instructions you'll refer to it by the name upstream. If you don't
   have it, here's how you can add it:

   $ git remote add upstream https://github.com/aio-libs/aiohttp.git

3. Ensure you have the latest copy of upstream and prepare a branch
   that will hold the backported code:

   $ git fetch upstream
   $ git checkout -b patchback/backports/3.13/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724 upstream/3.13

4. Now, cherry-pick PR Ensure cookies are still parsed after a malformed cookie #11724 contents into that branch:

   $ git cherry-pick -x 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8

   If it'll yell at you with something like fatal: Commit 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8 is a merge but no -m option was given., add -m 1 as follows instead:

   $ git cherry-pick -m1 -x 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8

5. At this point, you'll probably encounter some merge conflicts. You must
   resolve them in to preserve the patch from PR Ensure cookies are still parsed after a malformed cookie #11724 as close to the
   original as possible.
6. Push this branch to your fork on GitHub:

   $ git push origin patchback/backports/3.13/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724

7. Create a PR, ensure that the CI is green. If it's not — update it so that
   the tests and any other checks pass. This is it!
   Now relax and wait for the maintainers to process your pull request
   when they have some cycles to do reviews. Don't worry — they'll tell you if
   any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[patchback]

Backport to 3.14: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply 82ce525 on top of patchback/backports/3.14/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724

Backporting merged PR #11724 into master

1. Ensure you have a local repo clone of your fork. Unless you cloned it
   from the upstream, this would be your origin remote.
2. Make sure you have an upstream repo added as a remote too. In these
   instructions you'll refer to it by the name upstream. If you don't
   have it, here's how you can add it:

   $ git remote add upstream https://github.com/aio-libs/aiohttp.git

3. Ensure you have the latest copy of upstream and prepare a branch
   that will hold the backported code:

   $ git fetch upstream
   $ git checkout -b patchback/backports/3.14/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724 upstream/3.14

4. Now, cherry-pick PR Ensure cookies are still parsed after a malformed cookie #11724 contents into that branch:

   $ git cherry-pick -x 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8

   If it'll yell at you with something like fatal: Commit 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8 is a merge but no -m option was given., add -m 1 as follows instead:

   $ git cherry-pick -m1 -x 82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8

5. At this point, you'll probably encounter some merge conflicts. You must
   resolve them in to preserve the patch from PR Ensure cookies are still parsed after a malformed cookie #11724 as close to the
   original as possible.
6. Push this branch to your fork on GitHub:

   $ git push origin patchback/backports/3.14/82ce525b3b3d11e1c9dbbe5ebc8aa0042a2cc7b8/pr-11724

7. Create a PR, ensure that the CI is green. If it's not — update it so that
   the tests and any other checks pass. This is it!
   Now relax and wait for the maintainers to process your pull request
   when they have some cycles to do reviews. Don't worry — they'll tell you if
   any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.