Code

Opened 20 months ago

Closed 20 months ago

Last modified 16 months ago

#19262 closed Bug (fixed)

SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

Reported by: seanbrant Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

SimpleTemplateResponse does not call super so the fixed introduced in #15863 does not take effect.

Attachments (0)

Change History (9)

comment:1 Changed 20 months ago by seanbrant

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 20 months ago by seanbrant

  • Summary changed from SimpleTemplateResponse not calling super which causes cookies to pickle correctly to SimpleTemplateResponse not calling super which causes cookies to not pickle correctly

comment:3 Changed 20 months ago by claudep

  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 20 months ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 4d817b38875c900d70793acd528afc9e954bbcb7:

Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.

comment:5 Changed 20 months ago by Claude Paroz <claude@…>

In 6554137eebe4bd10bdf3f1be21f63f0a9cffd7ff:

[1.5.x] Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse

Refs #15863.
Backport of 4d817b3887 from master.

comment:6 Changed 16 months ago by matthewwithanm

I've opened a pull request to have this backported to 1.4.

comment:7 follow-up: Changed 16 months ago by aaugustin

I'm sorry, but 1.4 only gets security fixes at this point, and this isn't a security issue.

https://docs.djangoproject.com/en/dev/internals/release-process/#supported-versions

comment:8 in reply to: ↑ 7 Changed 16 months ago by anonymous

I thought this was a security issue? The bug results in a scrambled CSRF cookie, forcing the user to disable CSRF protection.

comment:9 Changed 16 months ago by lukeplant

It is not a security issue, because Django is not forcing developers to disable CSRF protection - they can always avoid using SimpleTemplateResponse, or avoid pickling/caching it. It is a bug in caching/SimpleTemplateResponse.

It would be a security issue if, for example, the bug caused the CSRF protection to always pass instead of always fail.

Sorry!

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.