Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#19262 closed Bug (fixed)

SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

Reported by: seanbrant Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.

Change History (9)

comment:1 Changed 2 years ago by seanbrant

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 2 years ago by seanbrant

  • Summary changed from SimpleTemplateResponse not calling super which causes cookies to pickle correctly to SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

comment:3 Changed 2 years ago by claudep

  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 2 years ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 4d817b38875c900d70793acd528afc9e954bbcb7:

Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.

comment:5 Changed 2 years ago by Claude Paroz <claude@…>

In 6554137eebe4bd10bdf3f1be21f63f0a9cffd7ff:

[1.5.x] Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.
Backport of 4d817b3887 from master.

comment:6 Changed 2 years ago by matthewwithanm

I've opened a pull request to have this backported to 1.4.

comment:7 follow-up: Changed 2 years ago by aaugustin

I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.

https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions

comment:8 in reply to: ↑ 7 Changed 2 years ago by anonymous

I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.

comment:9 Changed 2 years ago by lukeplant

It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse.

It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.

Sorry!

Note: See TracTickets for help on using tickets.
Back to Top