There are a number of problems with the way Django currently parses and compares ETags. The main issue is that we don't properly distinguish between weak and strong ETags. Specifically:
- Since we don't distinguish between weak and strong ETags, all of our comparisons are implicitly weak (see section 2.3.2 of RFC 7232). The specification, however, says that we "MUST use the strong comparison function when comparing entity-tags for
If-Match
" (section 3.1).
- There's no way to supply a weak ETag via the
condition()
decorator.
- If the developer specifies a weak ETag directly (by assigning to the
ETag
header in the response), we don't parse it properly and it will never match.
- We interpret the ETag format and implement the matching algorithm based on the old specification (RFC 2616), not the new one (RFC 7232). They are somewhat different.
Correcting this is mostly straightforward. The only tricky issue is what to do about the ETags returned from etag_func()
in the condition()
decorator. We currently treat these as unquoted (and implicitly strong) ETags. We can't suddenly require these to be quoted ETags since that would break backwards compatibility.
Instead we can allow either quoted or unquoted ETags to be returned. Since quotes are not an allowed character in the unquoted part of the ETag under the new specification, there won't be any ambiguity. Existing code will work as before, but it will now be possible for someone to provide an etag_func()
that returns a weak ETag.
There is still the possibility of a backwards incompatibility, though, since as noted above the current ETag specification is slightly incompatible with the old one (having to do with changing from an escaped string to an opaque string). That is, there exist ETags that would have been valid and would have matched under the old specification that will not match after this change. I would expect actual use of such ETags to be rare or nonexistent, and since the problem would be caused by user code that is incompatible with the HTTP specification this doesn't seem like a fatal problem.
PR