Opened 4 years ago

Last modified 3 years ago

#32191 closed Bug

Not RFC Compliant Cookie handling — at Version 1

Reported by: Nico Giefing Owned by: nobody
Component: contrib.messages Version: 3.1
Severity: Normal Keywords: Cookie malformed
Cc: Collin Anderson, Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no
Pull Requests:13793 unmerged, 13849 merged, 13800 merged, 13690 unmerged, 13732 unmerged

Description (last modified by Nico Giefing)

Hi
A Customer of mine is using a WAF which is handling Cookies as it is described tin the RFC: https://tools.ietf.org/html/rfc6265

The issue now is that Django is trying to use an escape-character in cookie-Values which is not supported in the RFC

an example of such a cookie: 

messages=\"123\\\"NOTRECEIVED\""

Please consider to get this fixed so there can be a protection of this system.

Regards,

Nico

Change History (1)

comment:1 by Nico Giefing, 4 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top