Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#23638 closed Bug (fixed)

Django raises exceptions on unicode in cookies/headers

Reported by: Philip Owned by: nobody
Component: HTTP handling Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Philip)

I'm am cleaning up my random errors, and this one has me stumped. Should I build a custom error emailer that ignores these, or is it something django should fix?

Internal Server Error: /join1/
Traceback (most recent call last):
  File "/home/exotic/.pyenv/versions/3.4.1/lib/python3.4/site-packages/django/core/handlers/base.py", line 87, in get_response
    response = middleware_method(request)
  File "/home/exotic/.pyenv/versions/3.4.1/lib/python3.4/site-packages/django/contrib/sessions/middleware.py", line 15, in process_request
    session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
  File "/home/exotic/.pyenv/versions/3.4.1/lib/python3.4/site-packages/django/utils/functional.py", line 55, in __get__
    res = instance.__dict__[self.func.__name__] = self.func(instance)
  File "/home/exotic/.pyenv/versions/3.4.1/lib/python3.4/site-packages/django/core/handlers/wsgi.py", line 143, in COOKIES
    raw_cookie = get_str_from_wsgi(self.environ, 'HTTP_COOKIE', '')
  File "/home/exotic/.pyenv/versions/3.4.1/lib/python3.4/site-packages/django/core/handlers/wsgi.py", line 262, in get_str_from_wsgi
    return value if six.PY2 else value.encode(ISO_8859_1).decode(UTF_8)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe7 in position 33: invalid continuation byte

Unparsed cookies.

Request repr():
<WSGIRequest
path:/join1/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:<could not parse>,
META:{'CONTENT_LENGTH': '',
 'CONTENT_TYPE': '',
 'DOCUMENT_ROOT': '/usr/local/nginx/html',
 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
 'HTTP_ACCEPT_LANGUAGE': 'it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4',
 'HTTP_CONNECTION': 'keep-alive',
 'HTTP_COOKIE': 'csrftoken=89uzZHmJ9ALZXxSTvVnEueCçWÈ\x03Ç\x9c(êh]Û\x8eÉ÷\x89&Æ/\x19á\x0f\t'
                '*£\x15Îè×MJ\x0e.1412634272',
. . . 

Change History (8)

comment:1 Changed 6 years ago by Claude Paroz

Component: UncategorizedHTTP handling
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Your cookie content seems really garbage, it's unlikely that Django produced it.

Anyway, Django should not crash. I'll suggest a patch to fix this.

comment:3 Changed 6 years ago by Tim Graham

Triage Stage: AcceptedReady for checkin

comment:4 Changed 6 years ago by Claude Paroz <claude@…>

Resolution: fixed
Status: newclosed

In 59d487e7fc02980e76dad053dd989c8b4899444f:

Fixed #23638 -- Prevented crash while parsing invalid cookie content

Thanks Philip Gatt for the report and Tim Graham for the review.

comment:5 Changed 6 years ago by Claude Paroz <claude@…>

In 6398ebab93a6a19afd1aee9cef120f052a801717:

[1.7.x] Fixed #23638 -- Prevented crash while parsing invalid cookie content

Thanks Philip Gatt for the report and Tim Graham for the review.
Backport of 59d487e7fc from master.

comment:6 Changed 6 years ago by Philip

Description: modified (diff)

comment:7 Changed 6 years ago by Claude Paroz <claude@…>

In 7131efa154a3e4dd0121503578fa6ca676366431:

Adapted invalid cookie test to all Python versions

Refs #23638. Older Python versions are less strict when parsing
invalid cookie content. The test just has to ensure Django doesn't
crash.

comment:8 Changed 6 years ago by Claude Paroz <claude@…>

In 555952c3e6fd0f4041ea7012d216641f6ffafe5b:

[1.7.x] Adapted invalid cookie test to all Python versions

Refs #23638. Older Python versions are less strict when parsing
invalid cookie content. The test just has to ensure Django doesn't
crash.

Note: See TracTickets for help on using tickets.
Back to Top