Opened 4 years ago

Last modified 3 years ago

#32191 closed Bug

Not RFC Compliant Cookie handling — at Initial Version

Reported by: Nico Giefing Owned by: nobody
Component: contrib.messages Version: 3.1
Severity: Normal Keywords: Cookie malformed
Cc: Collin Anderson, Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi
A Customer of mine is using a WAF which is handling Cookies as it is described tin the RFC: https://tools.ietf.org/html/rfc6265

The issue now is that Django is trying to use an escape-character in cookie-Values which is not supported in the RFC

an example of such a cookie: messages=\"123
\"NOTRECEIVED\""

Please consider to get this fixed so there can be a protection of this system.

Regards,

Nico

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top