Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
-+--
   Reporter:  Warlax | Owner:  nobody   
 
 Status:  reopened   | Milestone:  1.3  
 
  Component:  HTTP handling  |   Version:  SVN  
 
 Resolution: |  Keywords:  cookies, 
sprintdec2010
   Triage Stage:  Ready for checkin  | Has patch:  1
 
Needs documentation:  0  |   Needs tests:  0
 
Patch needs improvement:  0  |  
-+--

Comment (by lukeplant):

 Just a small note - 13007.1.diff is absolutely the right way to do it in
 trunk, but it will be a pain to backport to 1.2.X, due to [15298] and the
 fact that [14707] is a feature addition which is not backported to 1.2.X.
 So it looks like 13007.1.diff should be applied to trunk, 13007.diff to
 1.2.X.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
-+--
   Reporter:  Warlax | Owner:  nobody   
 
 Status:  reopened   | Milestone:  1.3  
 
  Component:  HTTP handling  |   Version:  SVN  
 
 Resolution: |  Keywords:  cookies, 
sprintdec2010
   Triage Stage:  Ready for checkin  | Has patch:  1
 
Needs documentation:  0  |   Needs tests:  0
 
Patch needs improvement:  0  |  
-+--
Changes (by jezdez):

  * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
-+--
   Reporter:  Warlax | Owner:  nobody   
 
 Status:  reopened   | Milestone:  1.3  
 
  Component:  HTTP handling  |   Version:  SVN  
 
 Resolution: |  Keywords:  cookies, 
sprintdec2010
   Triage Stage:  Accepted   | Has patch:  1
 
Needs documentation:  0  |   Needs tests:  0
 
Patch needs improvement:  0  |  
-+--

Comment (by aaugustin):

 #7183 was a duplicate.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
-+--
   Reporter:  Warlax | Owner:  nobody   
 
 Status:  reopened   | Milestone:  1.3  
 
  Component:  HTTP handling  |   Version:  SVN  
 
 Resolution: |  Keywords:  cookies, 
sprintdec2010
   Triage Stage:  Accepted   | Has patch:  1
 
Needs documentation:  0  |   Needs tests:  0
 
Patch needs improvement:  0  |  
-+--
Changes (by ramiro):

  * needs_better_patch:  1 => 0


Comment:

 I've attached the patch to apply after r15298. Please review,
 particularly:

  * Replaced a explicit `SimpleCookie.load(self, rawdata)` in the added
 load() method with a `super(SimpleCookie, self).load(rawdata)` call
  * Added a runtime `_cookie_allows_colon_in_names` flag in the same spirit
 of the `_morsel_supports_httponly` and `_cookie_encodes_correctly` already
 there.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
-+--
   Reporter:  Warlax | Owner:  nobody   
 
 Status:  reopened   | Milestone:  1.3  
 
  Component:  HTTP handling  |   Version:  SVN  
 
 Resolution: |  Keywords:  cookies, 
sprintdec2010
   Triage Stage:  Accepted   | Has patch:  1
 
Needs documentation:  0  |   Needs tests:  0
 
Patch needs improvement:  1  |  
-+--
Changes (by russellm):

  * needs_better_patch:  0 => 1
  * stage:  Ready for checkin => Accepted


Comment:

 This patch doesn't apply clean to trunk, and it's not obvious how to adapt
 the patch -- there have been other modifications to the cookie code in the
 interim.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody
Status:  reopened   | Milestone:  1.3   
 Component:  HTTP handling  |   Version:  SVN   
Resolution: |  Keywords:  cookies, sprintdec2010
 Stage:  Ready for checkin  | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  0  |  
+---
Changes (by Ubercore):

 * cc: Ubercore (added)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody
Status:  reopened   | Milestone:  1.3   
 Component:  HTTP handling  |   Version:  SVN   
Resolution: |  Keywords:  cookies, sprintdec2010
 Stage:  Ready for checkin  | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  0  |  
+---
Changes (by tttallis):

  * keywords:  cookies => cookies, sprintdec2010
  * needs_better_patch:  1 => 0
  * stage:  Unreviewed => Ready for checkin
  * milestone:  => 1.3

Comment:

 Spent a bit of time reviewing this ticket during the sprint.

 A few points:

 * While "A colon *should* be a valid value in a cookie", this ticket is
 actually about cookies with a colon in the '''name'''. While there is some
 uncertainty about what characters are legal in cookie names, most folks
 seem to thing colons aren't kosher.
 * In any case, I followed the instructions, and with some fiddling was
 able to reproduce the problem. I failed to reproduce it in Safari (it
 looked like maybe Safari 'censored' the cookie with the colon), but
 managed to definitively reproduce it in Firefox.
 * The patch takes a reasonable, prudent approach, and solves the issue
 cited
 * The unittest isn't exactly conclusive but I can't think of a better way
 to test this  - it's not exactly an easy situation to reproduce

 I say let check it in!

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody 
Status:  reopened   | Milestone: 
 Component:  HTTP handling  |   Version:  SVN
Resolution: |  Keywords:  cookies
 Stage:  Unreviewed | Has_patch:  1  
Needs_docs:  0  |   Needs_tests:  0  
Needs_better_patch:  1  |  
+---
Changes (by Ubercore):

  * has_patch:  0 => 1

Comment:

 Without rolling some kind of cookie pre-processing, Trac's solution seems
 like a decent option until Python provides better hooks for error handling
 on individual keys. I've attached a patch based on
 http://trac.edgewall.org/browser/trunk/trac/web/api.py?rev=3734#L97.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody 
Status:  reopened   | Milestone: 
 Component:  HTTP handling  |   Version:  SVN
Resolution: |  Keywords:  cookies
 Stage:  Unreviewed | Has_patch:  0  
Needs_docs:  0  |   Needs_tests:  0  
Needs_better_patch:  1  |  
+---
Changes (by Ubercore):

  * status:  closed => reopened
  * needs_better_patch:  0 => 1
  * version:  1.1 => SVN
  * resolution:  worksforme =>

Comment:

 I've added a test case to illustrate what I think is going on here. The
 culprit in my case was Glassfish running on the same server. Its admin
 console adds this cookie:

 {{{
 form:tree-hi=;
 }}}

 This breaks cookie parsing, and no cookies appear in the request.
 Including the csrf token. I think the ideal case here is to lose only the
 non-standard cookies, instead of returning a blank dict when a CookieError
 is raised. This is, I think, what Trac has done.



 http://bugs.python.org/issue2193

 http://trac.edgewall.org/ticket/2256

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody 
Status:  closed | Milestone: 
 Component:  HTTP handling  |   Version:  1.1
Resolution:  worksforme |  Keywords:  cookies
 Stage:  Unreviewed | Has_patch:  0  
Needs_docs:  0  |   Needs_tests:  0  
Needs_better_patch:  0  |  
+---
Changes (by russellm):

  * status:  reopened => closed
  * resolution:  => worksforme

Comment:

 I can't reproduce with the provided instructions. Like I said, a colon
 should be a valid value for a cookie. A programatic test case might help.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody 
Status:  reopened   | Milestone: 
 Component:  HTTP handling  |   Version:  1.1
Resolution: |  Keywords:  cookies
 Stage:  Unreviewed | Has_patch:  0  
Needs_docs:  0  |   Needs_tests:  0  
Needs_better_patch:  0  |  
+---
Changes (by Warlax):

  * status:  closed => reopened
  * resolution:  invalid =>

Comment:

 Create a standard django app with the default auth system

 create a view that is @login_required

 MANUALLY create a cookie in ur browser under the url django is servered
 at, ie 127.0.0.1:8000

 create this cookie
 "org.ditchnet.jsp.tabs:task-details" with a value of anything, eg
 "231432423"

 try and log into the django app. you will not be able to view the page
 behind the login required decorator

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #13007: Django fails to log in when a cookie is set on the same domain containing a colon

[Django]

#13007: Django fails to log in when a cookie is set on the same domain 
containing a
colon
+---
  Reporter:  Warlax | Owner:  nobody 
Status:  closed | Milestone: 
 Component:  HTTP handling  |   Version:  1.1
Resolution:  invalid|  Keywords:  cookies
 Stage:  Unreviewed | Has_patch:  0  
Needs_docs:  0  |   Needs_tests:  0  
Needs_better_patch:  0  |  
+---
Changes (by russellm):

  * status:  new => closed
  * needs_better_patch:  => 0
  * resolution:  => invalid
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 A colon *should* be a valid value in a cookie; you'll need to provide a
 specific failing test case.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.