Opened 4 years ago
Last modified 3 years ago
#32191 closed Bug
Not RFC Compliant Cookie handling — at Version 1
| Reported by: | Nico Giefing | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.messages | Version: | 3.1 |
| Severity: | Normal | Keywords: | Cookie malformed |
| Cc: | Collin Anderson, Florian Apolloner | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Hi
A Customer of mine is using a WAF which is handling Cookies as it is described tin the RFC: https://tools.ietf.org/html/rfc6265
The issue now is that Django is trying to use an escape-character in cookie-Values which is not supported in the RFC
an example of such a cookie:
messages=\"123\\\"NOTRECEIVED\""
Please consider to get this fixed so there can be a protection of this system.
Regards,
Nico
Note:
See TracTickets
for help on using tickets.