Opened 4 years ago

Closed 4 years ago

#24634 closed Uncategorized (invalid)

Comma as a cookie separator in HTTP_COOKIES is not handled correctly

Reported by: Piotr Maliński Owned by: nobody
Component: Uncategorized Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

RFC https://www.ietf.org/rfc/rfc2109.txt states:

A server should also accept comma (,) as the separator between cookie-values for future compatibility.

And now Skype WISPr and iPassConnect user agents are using this separator and the cookies are not handled by Django correctly. A simple test:

client = test.Client(HTTP_COOKIE='zz=a,zzz=b,zzzz=c')
client.get('/')

Ends up with:

{'zz': 'a,zzz=b,zzzz=c'}

as request.COOKIES in Django.

Change History (2)

comment:1 Changed 4 years ago by Piotr Maliński

It happens only if the cookies are separated by comma. Comma plus space works.

comment:2 Changed 4 years ago by Tim Graham

Resolution: invalid
Status: newclosed

Django uses Python's cookie parsing, so if this is to be addressed at all, I think it should be addressed upstream. I'd check to see if a similar issue has been raised in the past before filing a bug.

Note: See TracTickets for help on using tickets.
Back to Top