Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#19262 closed Bug (fixed)

SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

Reported by: Sean Brant Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.

Change History (9)

comment:1 Changed 4 years ago by Sean Brant

Has patch: set

comment:2 Changed 4 years ago by Sean Brant

Summary: SimpleTemplateResponse not calling super which causes cookies to pickle correctlySimpleTemplateResponse not calling super which causes cookies to not pickle correctly

comment:3 Changed 4 years ago by Claude Paroz

Triage Stage: UnreviewedAccepted

comment:4 Changed 4 years ago by Claude Paroz <claude@…>

Resolution: fixed
Status: newclosed

In 4d817b38875c900d70793acd528afc9e954bbcb7:

Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.

comment:5 Changed 4 years ago by Claude Paroz <claude@…>

In 6554137eebe4bd10bdf3f1be21f63f0a9cffd7ff:

[1.5.x] Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.
Backport of 4d817b3887 from master.

comment:6 Changed 4 years ago by Matthew Tretter

I've opened a pull request to have this backported to 1.4.

comment:7 Changed 4 years ago by Aymeric Augustin

I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.

https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions

comment:8 in reply to:  7 Changed 4 years ago by anonymous

I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.

comment:9 Changed 4 years ago by Luke Plant

It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse.

It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.

Sorry!

Note: See TracTickets for help on using tickets.
Back to Top