Opened 10 years ago
Closed 10 years ago
#24492 closed Bug (wontfix)
Bug in BaseCookie load can result in cookies not being set
Reported by: | Mark Hughes | Owned by: | Tim Graham |
---|---|---|---|
Component: | HTTP handling | Version: | 1.7 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
A bug with the Python cookie library means that cookies with square brackets (and all subsequent cookies) are ignored.
http://bugs.python.org/issue22931
As far as I can tell this effects 2.7.9 and 3.4+
In our case some users had a s_vi cookie which appears to come from Adobe Site Catalyst. As this cookie contains square brackets, the Django sessionid which appeared later in the cookie string was being ignored and the user was unable to login.
Here's a simple test case.
>>> from django.http.cookie import SimpleCookie >>> dd = SimpleCookie() >>> dd.load('a=b; c=[; d=r') >>> dd.output() 'Set-Cookie: a=b'
Should we try and code around this in http/cookie.py
where other standard library issues are handled?
Change History (4)
comment:1 by , 10 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 10 years ago
Resolution: | wontfix |
---|---|
Status: | closed → new |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Bug |
Reopening and assigning to myself to coordinate a fix in Django if Python does not backport the fix from http://bugs.python.org/issue22931.
comment:3 by , 10 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:4 by , 10 years ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
The Python fix has been applied to the 2.7, 3.2, 3.3, and 3.4 branches.
Since we only officially support the latest micro release for each Python series, I doubt it's worth trying to address this in Django itself. A fix in Django isn't likely to be backported and by the time Django 1.9 is released, I'd hope it'se fixed upstream in Python. We debated removing the existing workarounds in
django.http.cookie
but decided to keep them since they don't present a maintenance overhead at this time.