Opened 5 years ago

Closed 4 years ago

#24492 closed Bug (wontfix)

Bug in BaseCookie load can result in cookies not being set

Reported by: Mark Hughes Owned by: Tim Graham
Component: HTTP handling Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A bug with the Python cookie library means that cookies with square brackets (and all subsequent cookies) are ignored.

http://bugs.python.org/issue22931

As far as I can tell this effects 2.7.9 and 3.4+

In our case some users had a s_vi cookie which appears to come from Adobe Site Catalyst. As this cookie contains square brackets, the Django sessionid which appeared later in the cookie string was being ignored and the user was unable to login.

Here's a simple test case.

>>> from django.http.cookie import SimpleCookie
>>> dd = SimpleCookie()
>>> dd.load('a=b; c=[; d=r')
>>> dd.output()
'Set-Cookie: a=b'

Should we try and code around this in http/cookie.py where other standard library issues are handled?

Change History (4)

comment:1 Changed 5 years ago by Tim Graham

Resolution: wontfix
Status: newclosed

Since we only officially support the latest micro release for each Python series, I doubt it's worth trying to address this in Django itself. A fix in Django isn't likely to be backported and by the time Django 1.9 is released, I'd hope it'se fixed upstream in Python. We debated removing the existing workarounds in django.http.cookie but decided to keep them since they don't present a maintenance overhead at this time.

comment:2 Changed 4 years ago by Tim Graham

Resolution: wontfix
Status: closednew
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Reopening and assigning to myself to coordinate a fix in Django if Python does not backport the fix from ​http://bugs.python.org/issue22931.

comment:3 Changed 4 years ago by Tim Graham

Owner: changed from nobody to Tim Graham
Status: newassigned

comment:4 Changed 4 years ago by Tim Graham

Resolution: wontfix
Status: assignedclosed

The Python fix has been applied to the 2.7, 3.2, 3.3, and 3.4 branches.

Note: See TracTickets for help on using tickets.
Back to Top