Context Navigation

← Previous Ticket
Next Ticket →

#36467 closed Cleanup/optimization (fixed)

Remove leading whitespace in value of Set-Cookie header in wsgi handler

Reported by:	Lukas Komischke	Owned by:	Lukas Komischke
Component:	HTTP handling	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Currently, response headers in handlers/wsgi.py are generated with their value component starting with a whitespace character.

Although these whitespaces should be cleaned up by clients, if I understand RFC 6265 correctly, this causes an issue when using tornado > 6.5.0, as they have implemented stricter checks for headers:

tornado.httputil.HTTPInputError: Invalid header value ' csrftoken=7pFTUEBo24KFj9cKhWfeuTPSXmWYmYuQ; expires=Tue, 09 Jun 2026 14:27:44 GMT; Max-Age=31449600; Path=/; SameSite=Lax'

Django already properly strips those whitespaces in handlers/asgi.py, so I'd suggest also stripping them in handlers/wsgi.py in order to restore compatibility with tornado.

Change History (8)

comment:1 by Lukas Komischke, 5 months ago

Type:	Uncategorized → Cleanup/optimization

follow-up: 3 comment:2 by Sarah Boyce, 5 months ago

Resolution:	→ needsinfo
Status:	assigned → closed

Hi Lucas, can you share a test project or some tests so that we can replicate and validate the issue?

in reply to: 2 comment:3 by Lukas Komischke, 5 months ago

Replying to Sarah Boyce:

Hi Lucas, can you share a test project or some tests so that we can replicate and validate the issue?

Hi!

Sure! I've created a simple test project demonstrating the issue here: https://github.com/lukas-komischke-ameos/django_36467

comment:4 by Lukas Komischke, 5 months ago

Resolution:	needsinfo
Status:	closed → new
Version:	5.1 → 5.2

comment:5 by Sarah Boyce, 5 months ago

Triage Stage:	Unreviewed → Accepted
Version:	5.2 → dev

comment:6 by Sarah Boyce, 5 months ago

Triage Stage:	Accepted → Ready for checkin

comment:7 by Sarah Boyce <42296566+sarahboyce@…>, 5 months ago

In 1cd91d5:

Refs #36467 -- Added test for Set-Cookie header values in ASGIHandler.

comment:8 by Sarah Boyce <42296566+sarahboyce@…>, 5 months ago

Resolution:	→ fixed
Status:	new → closed

In db4d65f:

Fixed #36467 -- Removed leading whitespaces from Set-Cookie header values in WSGIHandler.

This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@…>

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues