Opened 9 years ago
Closed 9 years ago
#26349 closed Bug (invalid)
A cookie named "?" breaks CSRF
Reported by: | eyelidlessness | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 1.9 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Create a cookie with a question mark in its name.
- Perform any request which would CSRF protection.
Expected result:
The unrelated cookie would have no impact on CSRF in the request.
Observed result:
Request fails with "CSRF cookie not set."
Change History (2)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
We use cookie parsing from Python and I believe those are invalid characters for a cookie key value. If parsing fails, remaining cookies will be ignored by Python's current parsing scheme. There's an open ticket for Python which may improve the situation: http://bugs.python.org/issue25228
Unless you can point to why Django is at fault, I believe this class of issue should be directed at Python.
Any cookie using a double quote also seems to trigger this issue.