Thanks Tim, fascinating. At least I can tell the big boss the problem was "caused" by the BDFL ;-)
Will On Friday, February 5, 2016 at 1:52:34 PM UTC+1, Tim Graham wrote: > > This is caused by a security fix in Python (which Django uses for cookie > parsing). I think the issue can be fixed without cause security problems > but I'm not sure. Please follow > https://code.djangoproject.com/ticket/26158 and related Python tickets. > > On Friday, February 5, 2016 at 3:13:14 AM UTC-5, Will Harris wrote: >> >> Hey Daniel, >> >> Thanks for the reply. Unfortunately doing this in a custom middleware is >> not an option, as the this processing needs to take place at a very low >> level, at the point where the Request object is being built. By the time >> the request is passed in to the middleware layers for processing, the >> cookies would already have been lost. >> >> Will >> >> On Friday, February 5, 2016 at 12:31:30 AM UTC+1, Daniel Chimeno wrote: >>> >>> Hello, >>> >>>> >>>> I have resolved this in my instance as follows in django/http/cookie.py >>>> : >>>> >>>> def parse_cookie(cookie): >>>> cookie = re.sub('[^\x20-\x7e]+', 'X', cookie) >>>> ... >>>> >>>> >>>> >>>> It would be preferable to write that code in a middleware than in the >>> Django code itself. >>> Before the middleware that handles the cookie (I guess it would be >>> Session), you can *sanitize* that cookie. >>> >>> Hope it helps. >>> >>> >> -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2d48945b-b1fc-4811-b795-b11d92f0948b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
