#33212: Incorrect cookie parsing by django.http.cookie.parse_cookie -----------------------------------+-------------------------------------- Reporter: Christos Georgiou | Owner: nobody Type: Bug | Status: new Component: Core (Other) | Version: 3.2 Severity: Normal | Resolution: Keywords: cookies | Triage Stage: Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -----------------------------------+--------------------------------------
Comment (by Collin Anderson): As far as optionally rejecting non-rfc cookies goes, I think the way to do it would be to first split the entire header on semicolon, and then accept or ignore individual name-value-pairs. Basically, treat each thing between semicolons like the first part of a `Set-Cookie` header, and then parse according to "Set-Cookie header" rules https://datatracker.ietf.org/doc/html/rfc6265#section-5.2 (which says to first parse up to semicolon to get `name-value-pair`). But even then, like Florian said, we don't know whether a WAF is going to accept or ignore a cookie, so it could actually make the situation worse if Django has stricter parsing than the WAF. Again, most other `Cookie` header parsing code seems to allow non-rfc characters. I suppose another thing that may or may not help: if there were a cookie api for getting a lower-level list of tuples instead of dict, then people could ignore individual key-value pairs if they wanted to, and there's no information loss in the case of multiple cookies with the same name. The RFC pretty much explicitly allows for multiple cookies with the same name, so that's not going to go away any time soon. Anyway, I created a little PR for using first cookie value rather than last value if we want to do that. There's some backward-compatibilty concerns, but it's probably for the best long-term to try to match other parsers as far as which cookie value to use: https://github.com/django/django/pull/15015 -- Ticket URL: <https://code.djangoproject.com/ticket/33212#comment:9> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/062.c752bb3f00808aa2b2f32194e3517cab%40djangoproject.com.