Code

Opened 2 years ago

Closed 10 months ago

Last modified 6 months ago

#18403 closed Bug (fixed)

Issue with redefined SimpleCookie with invalid cookie name

Reported by: Stefano Crosta <stefano@…> Owned by: e0ne
Component: HTTP handling Version: 1.4
Severity: Normal Keywords: cookie
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by ramiro)

To provoke the error:

from django.http import HttpResponse
response= HttpResponse()
response.set_cookie("a:.b/",1)


> AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies' 

with a python version that does not accept colons (":") in the cookie name.

Django http/init.py redefines the SimpleCookie, and initializes bad_cookies in a method load(self, rawdata) that does not seem to be called in this case.

Beside the obvious fact that the cookie name is totally invalid, it looks like bad_cookies is not correctly initialized (I wouldn't mind an error, but a real one!)

Or am I using set_cookie uncorrectly here?

Attachments (0)

Change History (8)

comment:1 Changed 2 years ago by ramiro

  • Description modified (diff)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 2 years ago by lukeplant

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 10 months ago by e0ne

  • Owner changed from nobody to e0ne
  • Status changed from new to assigned

Here is pull request with fix https://github.com/django/django/pull/1605

comment:4 Changed 10 months ago by timo

  • Has patch set
  • Needs tests set

This needs a test as well.

comment:5 Changed 10 months ago by timo

  • Needs tests unset

Test was added, but fails on Python 3. Python 3 appears to fail loudly on a bad cookie key rather than storing the key in bad_cookies. Question is whether Django should catch this exception to maintain the same behavior as Python 2 or if we should simply skip the new test on Python 3.

comment:6 Changed 10 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In f2a44528825ac07ca28c8bb7dc01b4375df8dc2c:

Fixed #18403 -- Initialized bad_cookies in SimpleCookie

Thanks Stefano Crosta for the report.

comment:7 Changed 6 months ago by fabian

I'm having this issue in Django 1.6.1 - is this really fixed !?

response = HttpResponse(json.dumps(result))
response.set_cookie(response, '123', expires=expires)
Internal Server Error: /goodies/ajax/authenticate_goody/
Traceback (most recent call last):
  File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7/site-packages/django/core/handlers/base.py", line 114, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/rothfuchs/Documents/workspace/mygoody/goodies/ajax.py", line 30, in authenticate_goody
    response.set_cookie(response, '123', expires=expires)
  File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7/site-packages/django/http/response.py", line 229, in set_cookie
    self.cookies[key] = value
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/Cookie.py", line 592, in __setitem__
    self.__set(key, rval, cval)
  File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7/site-packages/django/http/cookie.py", line 67, in _BaseCookie__set
    self.bad_cookies.add(key)
AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies'

comment:8 Changed 6 months ago by timo

If you look at the commit above, you'll see it's present on master/1.7a1. It won't be backported to 1.6 as it's not a regression (ticket was open 20 months before it was fixed).

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.