Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#19262 closed Bug (fixed)

SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

Reported by: Sean Brant Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.

Change History (9)

comment:1 by Sean Brant, 11 years ago

Has patch: set

comment:2 by Sean Brant, 11 years ago

Summary: SimpleTemplateResponse not calling super which causes cookies to pickle correctlySimpleTemplateResponse not calling super which causes cookies to not pickle correctly

comment:3 by Claude Paroz, 11 years ago

Triage Stage: UnreviewedAccepted

comment:4 by Claude Paroz <claude@…>, 11 years ago

Resolution: fixed
Status: newclosed

In 4d817b38875c900d70793acd528afc9e954bbcb7:

Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.

comment:5 by Claude Paroz <claude@…>, 11 years ago

In 6554137eebe4bd10bdf3f1be21f63f0a9cffd7ff:

[1.5.x] Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.
Backport of 4d817b3887 from master.

comment:6 by Matthew Tretter, 11 years ago

I've opened a pull request to have this backported to 1.4.

comment:7 by Aymeric Augustin, 11 years ago

I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.

https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions

in reply to:  7 comment:8 by anonymous, 11 years ago

I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.

comment:9 by Luke Plant, 11 years ago

It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse.

It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.

Sorry!

Note: See TracTickets for help on using tickets.
Back to Top