Django

Code

Ticket #6764 (closed: fixed)

Opened 4 months ago

Last modified 4 months ago

Invalid Cookies cause Stacktrace in middleware

Reported by: axiak Assigned to: nobody
Milestone: Component: HTTP handling
Version: SVN Keywords: cookies, http
Cc: Triage Stage: Ready for checkin
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

If someone uses SessionMiddlware, any request with invalid cookies will result in a stack trace. For instance, someone visited a site with the cookie "lang:xml=ru".

If one were to use wget, you can repeat this on a number of sites: 

 $ wget --header "Cookie: lang:xml=ru" http://www.djangoprojects.com
--09:06:39--  http://www.djangoproject.com/
           => `-'
Resolving www.djangoproject.com... 64.207.133.18
Connecting to www.djangoproject.com|64.207.133.18|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
09:06:40 ERROR 500: Internal Server Error.

(It's also amazing how many Django developers are lazy enough to leave PythonDebug on, but that's not fixable.)

Attached is a patch to have invalid cookies result in no cookies at all, along with a test.

Someone might decide to emit a warning or something, that's not included in this patch.

Attachments

safe_cookie.diff (1.1 kB) - added by axiak on 03/13/08 07:55:10.
Patch to squelch cookie parsing errors.

Change History

03/13/08 07:55:10 changed by axiak

  • attachment safe_cookie.diff added.

Patch to squelch cookie parsing errors.

03/13/08 08:02:58 changed by axiak

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

I guess this is a dupe of #6507, though I'm not sure I agree that there needs to be a way to get some of the keys if one of them is bad. (Hence the need for subclassing the Morsel and Cookie class)

03/13/08 08:17:57 changed by mtredinnick

  • stage changed from Unreviewed to Ready for checkin.

#6507 is overkill for this problem.

03/17/08 08:49:05 changed by mtredinnick

  • status changed from new to closed.
  • resolution set to fixed.

(In [7257]) Fixed #6764 -- Added some error checking around cookie decoding. Thanks, Michael Axiak.

Add/Change #6764 (Invalid Cookies cause Stacktrace in middleware)




Change Properties
Action