Opened 3 weeks ago
Closed 3 weeks ago
#36547 closed New feature (invalid)
Construction of a cookie using user-supplied input
Reported by: | pTr | Owned by: | pTr |
---|---|---|---|
Component: | Uncategorized | Version: | 5.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.
from flask import request, make_response @app.route("/1") def set_cookie(): resp = make_response() resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value value=request.args["name"]) return resp @app.route("/2") def set_cookie_header(): resp = make_response() resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header. return resp
Change History (2)
comment:1 by , 3 weeks ago
comment:2 by , 3 weeks ago
Resolution: | → invalid |
---|---|
Status: | assigned → closed |
Hello, this ticket is not very clear. This appears to be a "New Feature" request, but the attached PR implies a bug in set_language
Note that if you believe there is a bug, you should have a test/steps to reproduce for us to confirm there is an issue. In this case, lang_code
is validated by check_for_language
, so I don't think the added quote
call is required
https://github.com/django/django/pull/19726