Re: [Django] #26349: A cookie named "?" breaks CSRF

2016-03-11 Thread Django 
#26349: A cookie named "?" breaks CSRF
+--
 Reporter:  eyelidlessness  |Owner:  nobody
 Type:  Bug |   Status:  closed
Component:  CSRF|  Version:  1.9
 Severity:  Normal  |   Resolution:  invalid
 Keywords:  | Triage Stage:  Unreviewed
Has patch:  0   |  Needs documentation:  0
  Needs tests:  0   |  Patch needs improvement:  0
Easy pickings:  0   |UI/UX:  0
+--
Changes (by timgraham):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 We use
 
[https://github.com/python/cpython/blob/750ed3ef784a5261f50b1ce146d561c7aefdac67/Lib/http/cookies.py#L458-L478
 cookie parsing from Python] and I believe those are invalid characters for
 a cookie key value. If parsing fails, remaining cookies will be ignored by
 Python's current parsing scheme. There's an open ticket for Python which
 may improve the situation: http://bugs.python.org/issue25228

 Unless you can point to why Django is at fault, I believe this class of
 issue should be directed at Python.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/072.313e82d14b5317cd759c8c7644c4cbb6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26349: A cookie named "?" breaks CSRF

2016-03-11 Thread Django 
#26349: A cookie named "?" breaks CSRF
+--
 Reporter:  eyelidlessness  |Owner:  nobody
 Type:  Bug |   Status:  new
Component:  CSRF|  Version:  1.9
 Severity:  Normal  |   Resolution:
 Keywords:  | Triage Stage:  Unreviewed
Has patch:  0   |  Needs documentation:  0
  Needs tests:  0   |  Patch needs improvement:  0
Easy pickings:  0   |UI/UX:  0
+--
Changes (by eyelidlessness):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Comment:

 Any cookie using a double quote also seems to trigger this issue.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/072.a5ea9fa0c5d3353097e7309ff8be7901%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.