#27083: Problems with ETag parsing and comparison -------------------------------+-------------------- Reporter: marfire | Owner: nobody Type: Bug | Status: new Component: HTTP handling | Version: master Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+-------------------- There are a number of problems with the way Django currently parses and compares ETags. The main issue is that we don't properly distinguish between weak and strong ETags. Specifically:
- Since we don't distinguish between weak and strong ETags, all of our comparisons are implicitly weak (see [https://tools.ietf.org/html/rfc7232#section-2.3.2 section 2.3.2 of RFC 7232]). The specification, however, says that we "MUST use the strong comparison function when comparing entity-tags for `If-Match`" (section 3.1). - There's no way to supply a weak ETag via the `condition()` decorator. - If the developer specifies a weak ETag directly (by assigning to the `ETag` header in the response), we don't parse it properly and it will never match. - We interpret the ETag format and implement the matching algorithm based on the old specification (RFC 2616), not the new one (RFC 7232). They are somewhat different. Correcting this is mostly straightforward. The only tricky issue is what to do about the ETags returned from `etag_func()` in the `condition()` decorator. We currently treat these as unquoted (and implicitly strong) ETags. We can't suddenly require these to be quoted ETags since that would break backwards compatibility. Instead we can allow either quoted or unquoted ETags to be returned. Since quotes are not an allowed character in the unquoted part of the ETag under the new specification, there won't be any ambiguity. Existing code will work as before, but it will now be possible for someone to provide an `etag_func()` that returns a weak ETag. There is still the possibility of a backwards incompatibility, though, since as noted above the current ETag specification is slightly incompatible with the old one (having to do with changing from an escaped string to an opaque string). That is, there exist ETags that would have been valid and would have matched under the old specification that will not match after this change. I would expect actual use of such ETags to be rare or nonexistent, and since the problem would be caused by user code that is incompatible with the HTTP specification this doesn't seem like a fatal problem. -- Ticket URL: <https://code.djangoproject.com/ticket/27083> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.a1e908320ee19af71356ccd09b7f231d%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.