Changes between Initial Version and Version 1 of Ticket #26158, comment 2


Ignore:
Timestamp:
01/31/2016 10:58:00 AM (4 years ago)
Author:
Andreas Dolk
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #26158, comment 2

    initial v1  
    1 Django relies on the python core module http.cookies for parsing the cookie strings. Right now, django apps that run with python 3.x are vulnerable and stop working, if the request contains a nameless cookie. It would be great, if the python devs accepted this as a bug (i.e. ignore unnamed cookies and create all the others instead on none). But there's no guarantee and in the ends, it's not python but our django app (and our clients) that stops working...
     1Django relies on the python core module http.cookies for parsing the cookie strings. Right now, django apps that run with python 3.x are vulnerable and stop working, if the request contains a nameless cookie. It would be great, if the python devs accepted this as a bug (i.e. ignore unnamed cookies and create all the others instead on none). But there's no guarantee and in the end, it's not python but our django app that stops working and my clients complain.
    22
    33An alternative could be to split the cookie at ';' and load the cookies one by one. As far as I understand, the correct cookies will be created, the unnamed ones ignored.
Back to Top