[Django] #26158: cookie parsing fails with python 3.x if request contains unnamed cookie

Sun, 31 Jan 2016 07:04:48 -0800 

#26158: cookie parsing fails with python 3.x if request contains unnamed cookie
-------------------------------+----------------------------
     Reporter:  Treverix       |      Owner:  nobody
         Type:  Bug            |     Status:  new
    Component:  HTTP handling  |    Version:  1.8
     Severity:  Normal         |   Keywords:  cookie python3
 Triage Stage:  Unreviewed     |  Has patch:  0
Easy pickings:  0              |      UI/UX:  0
-------------------------------+----------------------------
 Example:

 {{{#!python
   from http import cookies
   good_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE;
 django_language=en'
   print(cookies.parse_cookie(good_cookie))
   bad_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE; unnamed;
 django_language=en'
   print(cookies.parse_cookie(bad_cookie))
 }}}

 Output:
 {{{
   {'csrftoken': '5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE', 'django_language':
 'en'}
   {}
 }}}

 This parsing method is used during processing WSGI requests (see:
 django.core.handlers.wsgi.py)

 If a request contains at least one nameless cookie, then the parser result
 is an empty dictionary. The nameless cookie may be present in the client
 (browser) and this cause at least two serious problems for django:

 * django will not see the session cookie (user is asked to login again)
 * csrf validation fails with an error message (csrf cookie not set -
 because the middleware doesn't see it)

 It worked, btw., with python 2.7.

 Remark:
 Nameless cookies shouldn't happen - but in our case there's a different
 web application on the parent domain that sometimes sets a nameless
 cookie. Even though that this is a bug, it makes our django app quite
 unusable due to the cookie parsing and we'd have to ask the users to
 constantly delete the cookies on their browsers (or avoid the other app).
 Those cookies are evil but we have to expect them in real life :/

--
Ticket URL: <https://code.djangoproject.com/ticket/26158>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/051.033924f10e9cf797a1da338adf62630c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to