Code

Opened 13 months ago

Closed 10 months ago

Last modified 10 months ago

#20557 closed Bug (fixed)

Mangled Cookies on Python 3

Reported by: mitsuhiko Owned by: aaugustin
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The WSGI spec mangles the strings when they go into the environment. This not only affects QUERY_STRING, PATH_INFO and SCRIPT_NAME, it also affects headers that are not latin1. This for instance applies to the HTTP_COOKIE header. When you set a cookie named förmlich="nährhaft" with JavaScript, Django will give you a mangled value.

The correct solution on Python 3 is to encode it back to latin1 and decode it from utf-8 as browsers do.

Attachments (0)

Change History (7)

comment:1 Changed 13 months ago by aaugustin

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to aaugustin
  • Patch needs improvement unset
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted

Agreed, that's what Django should do.

(I don't remember how this works currently.)

comment:2 Changed 13 months ago by mitsuhiko

I just noticed that the stdlib module has some issues with unicode on Python 3. I am going to investigate how I'm going to solve this in Werkzeug and will link you the solution once I have one.

comment:3 Changed 13 months ago by mitsuhiko

This is the solution I ended up with in Werkzeug for the time being: https://github.com/mitsuhiko/werkzeug/commit/cf048aad79faa4675f8d90ab57928dc3e09808cb

comment:4 Changed 13 months ago by aaugustin

  • Type changed from Uncategorized to Bug

We reached roughly the same conclusion; we just piled hacks upon hacks instead of rewriting the whole thing like you did...

comment:5 Changed 10 months ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 8aaca651cf5732bbf395d24a7d9f2edfab00250c:

Fixed #20557 -- Properly decoded non-ASCII cookies on Python 3.

Thanks mitsuhiko for the report.

Non-ASCII values are supported. Non-ASCII keys still aren't, because the
current parser mangles them. That's another bug.

comment:6 Changed 10 months ago by Aymeric Augustin <aymeric.augustin@…>

In fac5735a3daffb82b67ff489f0c963eaf953f6e7:

[1.6.x] Fixed #20557 -- Properly decoded non-ASCII cookies on Python 3.

Thanks mitsuhiko for the report.

Non-ASCII values are supported. Non-ASCII keys still aren't, because the
current parser mangles them. That's another bug.

Simplified backport of 8aaca651 and f5add47 from master.

comment:7 Changed 10 months ago by Aymeric Augustin <aymeric.augustin@…>

In f5add4712f684a78215263771b8acaeb48e64a81:

Fixed tests introduced in previous commit on Python 2. Refs #20557.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.