#26914 closed Bug (duplicate)

Invalid characters in cookie name breaks csrf checking

Reported by: Cheng Guo Owned by: nobody
Component: HTTP handling Version: 1.9
Severity: Normal Keywords: csrf, cookie
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If a cookie name contains either [ or ] and this cookie is placed before the csrftoken cookie in the http request header, it will prevent the csrftoken from loading and result in a CSRF cookie not set error.

For example, on any login page with csrf enabled, create a cookie in the browser like the following and submit the form:

key: [
val: whatever

If this cookie is placed before the csrftoken cookie in the Cookie field of the http request header, then django will return 403 with the CSRF cookie not set error. Here is a link to the source code

This bug does not seem to be related to Python 2.7.x's cookie bug or this bug. These previous reports state that square brackets cannot be presented in the value of the cookie. Python's cookie library will drop everything after the square brackets silently

In this bug, Python 2.7.10 does throw a Illegal key value error:

import Cookie

c = Cookie.SimpleCookie()
c['['] = 'test'  # CookieError: Illegal key value: [

So my guess is that this error wasn't being dealt correctly in Django. So whichever function passed the request object into this function isn't parsing the cookies correctly.

Change History (1)

comment:1 Changed 13 months ago by Tim Graham

Component: CSRFHTTP handling
Resolution: duplicate
Status: newclosed

This is fixed in Django 1.10 by 93a135d111c2569d88d65a3f4ad9e6d9ad291452 (#26158). The following assertion fails in 1.9 and passes in 1.10:

self.assertEqual(parse_cookie('[=whatever;c= v;'), {'[': 'whatever', 'c': 'v'})

Note: See TracTickets for help on using tickets.
Back to Top