#19262 closed Bug (fixed)
SimpleTemplateResponse not calling super which causes cookies to not pickle correctly
| Reported by: | Sean Brant | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.4 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.
Change History (9)
comment:1 by , 13 years ago
| Has patch: | set |
|---|
comment:2 by , 13 years ago
| Summary: | SimpleTemplateResponse not calling super which causes cookies to pickle correctly → SimpleTemplateResponse not calling super which causes cookies to not pickle correctly |
|---|
comment:3 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:4 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
follow-up: 8 comment:7 by , 13 years ago
I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.
https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions
comment:8 by , 13 years ago
I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.
comment:9 by , 13 years ago
It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse.
It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.
Sorry!
Patch included in https://github.com/django/django/pull/508