Opened 8 years ago
Closed 8 years ago
#26914 closed Bug (duplicate)
Invalid characters in cookie name breaks csrf checking
Reported by: | Cheng Guo | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | 1.9 |
Severity: | Normal | Keywords: | csrf, cookie |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If a cookie name contains either [ or ] and this cookie is placed before the csrftoken cookie in the http request header, it will prevent the csrftoken from loading and result in a CSRF cookie not set
error.
For example, on any login page with csrf enabled, create a cookie in the browser like the following and submit the form:
key: [ val: whatever
If this cookie is placed before the csrftoken cookie in the Cookie field of the http request header, then django will return 403 with the CSRF cookie not set
error. Here is a link to the source code
This bug does not seem to be related to Python 2.7.x's cookie bug or this bug. These previous reports state that square brackets cannot be presented in the value of the cookie. Python's cookie library will drop everything after the square brackets silently
In this bug, Python 2.7.10 does throw a Illegal key value
error:
import Cookie c = Cookie.SimpleCookie() c['['] = 'test' # CookieError: Illegal key value: [
So my guess is that this error wasn't being dealt correctly in Django. So whichever function passed the request object into this function isn't parsing the cookies correctly.
Change History (1)
comment:1 by , 8 years ago
Component: | CSRF → HTTP handling |
---|---|
Resolution: | → duplicate |
Status: | new → closed |
This is fixed in Django 1.10 by 93a135d111c2569d88d65a3f4ad9e6d9ad291452 (#26158). The following assertion fails in 1.9 and passes in 1.10:
self.assertEqual(parse_cookie('[=whatever;c= v;'), {'[': 'whatever', 'c': 'v'})