Thanks Tim, fascinating. At least I can tell the big boss the problem was
"caused" by the BDFL ;-)
Will
On Friday, February 5, 2016 at 1:52:34 PM UTC+1, Tim Graham wrote:
>
> This is caused by a security fix in Python (which Django uses for cookie
> parsing). I think the issue can be fixed
This is caused by a security fix in Python (which Django uses for cookie
parsing). I think the issue can be fixed without cause security problems
but I'm not sure. Please follow https://code.djangoproject.com/ticket/26158
and related Python tickets.
On Friday, February 5, 2016 at 3:13:14 AM
Hey Daniel,
Thanks for the reply. Unfortunately doing this in a custom middleware is
not an option, as the this processing needs to take place at a very low
level, at the point where the Request object is being built. By the time
the request is passed in to the middleware layers for
Hello,
>
> I have resolved this in my instance as follows in django/http/cookie.py:
>
> def parse_cookie(cookie):
> cookie = re.sub('[^\x20-\x7e]+', 'X', cookie)
> ...
>
>
>
> It would be preferable to write that code in a middleware than in the
Django code itself.
Before the middleware
I recently ran into this problem on a production server, and it was causing
my users to lose their sessions.
Many browsers will happily post UTF-8 encoded data in cookie strings. This
will result in cookie data such as this, which I captured from my nginx log:
5 matches
Mail list logo