Opened 8 years ago
Closed 8 years ago
#26349 closed Bug (invalid)
A cookie named "?" breaks CSRF
| Reported by: | eyelidlessness | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 1.9 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Create a cookie with a question mark in its name.
- Perform any request which would CSRF protection.
Expected result:
The unrelated cookie would have no impact on CSRF in the request.
Observed result:
Request fails with "CSRF cookie not set."
Change History (2)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
We use cookie parsing from Python and I believe those are invalid characters for a cookie key value. If parsing fails, remaining cookies will be ignored by Python's current parsing scheme. There's an open ticket for Python which may improve the situation: http://bugs.python.org/issue25228
Unless you can point to why Django is at fault, I believe this class of issue should be directed at Python.
Note:
See TracTickets
for help on using tickets.
Any cookie using a double quote also seems to trigger this issue.