#19262 closed Bug (fixed)
SimpleTemplateResponse not calling super which causes cookies to not pickle correctly
Reported by: | Sean Brant | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | 1.4 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.
Change History (9)
comment:1 by , 12 years ago
Has patch: | set |
---|
comment:2 by , 12 years ago
Summary: | SimpleTemplateResponse not calling super which causes cookies to pickle correctly → SimpleTemplateResponse not calling super which causes cookies to not pickle correctly |
---|
comment:3 by , 12 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:4 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
follow-up: 8 comment:7 by , 12 years ago
I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.
https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions
comment:8 by , 12 years ago
I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.
comment:9 by , 12 years ago
It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse
, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse
.
It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.
Sorry!
Patch included in https://github.com/django/django/pull/508