Opened 5 years ago

Closed 3 years ago

#20755 closed Bug (wontfix)

Certain cookie flags don't get unpickled properly

Reported by: Julien Phalip Owned by: Julien Phalip
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I've noticed that some cookie flags (at least httponly and secure) do not properly get unpickled. This is an issue particularly for FetchFromCacheMiddleware when it unpickles a cached response object.

So far I've narrowed down the issue to this snippet of code:

import pickle
from django.http import HttpResponse

original = HttpResponse()
original.set_cookie('foo', 'bar', path='/blah', httponly=True, secure=True)

pickled = pickle.dumps(original, pickle.HIGHEST_PROTOCOL)
reloaded = pickle.loads(pickled)

# httponly and secure get lost in the pickle loading process!!
original.cookies['foo']['httponly']   # True
reloaded.cookies['foo']['httponly']   # ''

original.cookies['foo']['secure']     # True
reloaded.cookies['foo']['secure']     # ''

str(original.cookies)                 # 'Set-Cookie: foo=bar; httponly; Path=/blah; secure'
str(reloaded.cookies)                 # 'Set-Cookie: foo=bar; Path=/blah'

At this stage I'm unsure if it's a bug in Django or in Python. For the record, I've tested this with Python 2.7.5.

Change History (2)

comment:1 Changed 5 years ago by Julien Phalip

Owner: changed from nobody to Julien Phalip
Status: newassigned
Triage Stage: UnreviewedAccepted

After discussing with Collin Anderson, we found that this is in fact a bug in Python. The HTTPOnly and Secure flags aren't properly deserialized:

One work-around in Django would be to replace the empty strings '' with True.

I'll see if we can get this fixed in Python first before settling on a given work-around.

comment:2 Changed 3 years ago by Tim Graham

Component: Core (Serialization)HTTP handling
Resolution: wontfix
Status: assignedclosed

This has been fixed in Python 2.7.9, 3.3.3, and 3.4. Not sure it's worth adding a workaround in Django at this point.

Note: See TracTickets for help on using tickets.
Back to Top