Opened 6 years ago

Closed 6 years ago

#26349 closed Bug (invalid)

A cookie named "?" breaks CSRF

Reported by: eyelidlessness Owned by: nobody
Component: CSRF Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Steps to reproduce:

  1. Create a cookie with a question mark in its name.
  2. Perform any request which would CSRF protection.

Expected result:

The unrelated cookie would have no impact on CSRF in the request.

Observed result:

Request fails with "CSRF cookie not set."

Change History (2)

comment:1 in reply to:  description Changed 6 years ago by eyelidlessness

Any cookie using a double quote also seems to trigger this issue.

comment:2 Changed 6 years ago by Tim Graham

Resolution: invalid
Status: newclosed

We use cookie parsing from Python and I believe those are invalid characters for a cookie key value. If parsing fails, remaining cookies will be ignored by Python's current parsing scheme. There's an open ticket for Python which may improve the situation: http://bugs.python.org/issue25228

Unless you can point to why Django is at fault, I believe this class of issue should be directed at Python.

Note: See TracTickets for help on using tickets.
Back to Top