Opened 3 weeks ago
Closed 3 weeks ago
#36547 closed New feature (invalid)
Construction of a cookie using user-supplied input
| Reported by: | pTr | Owned by: | pTr |
|---|---|---|---|
| Component: | Uncategorized | Version: | 5.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.
from flask import request, make_response
@app.route("/1")
def set_cookie():
resp = make_response()
resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value
value=request.args["name"])
return resp
@app.route("/2")
def set_cookie_header():
resp = make_response()
resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header.
return resp
Change History (2)
comment:1 by , 3 weeks ago
comment:2 by , 3 weeks ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
Hello, this ticket is not very clear. This appears to be a "New Feature" request, but the attached PR implies a bug in set_language
Note that if you believe there is a bug, you should have a test/steps to reproduce for us to confirm there is an issue. In this case, lang_code is validated by check_for_language, so I don't think the added quote call is required
Note:
See TracTickets
for help on using tickets.
https://github.com/django/django/pull/19726