Re: [Django] #33212: Incorrect cookie parsing by django.http.cookie.parse_cookie

Fri, 22 Oct 2021 11:31:10 -0700 

#33212: Incorrect cookie parsing by django.http.cookie.parse_cookie
-----------------------------------+--------------------------------------
     Reporter:  Christos Georgiou  |                    Owner:  nobody
         Type:  Bug                |                   Status:  new
    Component:  Core (Other)       |                  Version:  3.2
     Severity:  Normal             |               Resolution:
     Keywords:  cookies            |             Triage Stage:  Unreviewed
    Has patch:  0                  |      Needs documentation:  0
  Needs tests:  0                  |  Patch needs improvement:  0
Easy pickings:  0                  |                    UI/UX:  0
-----------------------------------+--------------------------------------

Comment (by Collin Anderson):

 As far as optionally rejecting non-rfc cookies goes, I think the way to do
 it would be to first split the entire header on semicolon, and then accept
 or ignore individual name-value-pairs. Basically, treat each thing between
 semicolons like the first part of a `Set-Cookie` header, and then parse
 according to "Set-Cookie header" rules
 https://datatracker.ietf.org/doc/html/rfc6265#section-5.2 (which says to
 first parse up to semicolon to get `name-value-pair`).

 But even then, like Florian said, we don't know whether a WAF is going to
 accept or ignore a cookie, so it could actually make the situation worse
 if Django has stricter parsing than the WAF. Again, most other `Cookie`
 header parsing code seems to allow non-rfc characters.

 I suppose another thing that may or may not help: if there were a cookie
 api for getting a lower-level list of tuples instead of dict, then people
 could ignore individual key-value pairs if they wanted to, and there's no
 information loss in the case of multiple cookies with the same name. The
 RFC pretty much explicitly allows for multiple cookies with the same name,
 so that's not going to go away any time soon.

 Anyway, I created a little PR for using first cookie value rather than
 last value if we want to do that. There's some backward-compatibilty
 concerns, but it's probably for the best long-term to try to match other
 parsers as far as which cookie value to use:
 https://github.com/django/django/pull/15015

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33212#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.c752bb3f00808aa2b2f32194e3517cab%40djangoproject.com.

Reply via email to