Incorrect HTTP-Date format in expire field of HTTP Header
|Reported by:||Ciantic||Owned by:||mtredinnick|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Currently the Django uses datetime.strftime to format it's HTTP-Date, because strftime is localized function it should not be used for it.
Changing locales to something else than English will break Django's session system on some browsers at the current state.
Using datetime.ctime instead makes Django's HTTP-Date format automatically correct and it is not anymore locale dependent. ctime function also automatically handles the GMT conversion if needed, that is why the patch also changes the utcnow to now. It conforms the HTTP Specification clearly as in here HTTP Specs is stated (the third choice).
This fixes only expire field in django.contrib.session.middleware but the problem might be elsewhere too (mostly where HTTP-Date is used). Common rule is that strftime is not meant for fixed date formats.
Change History (17)
comment:1 Changed 8 years ago by Ciantic
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 8 years ago by Simon G. <dev@…>
- Triage Stage changed from Unreviewed to Ready for checkin
comment:4 Changed 8 years ago by mtredinnick
- Triage Stage changed from Ready for checkin to Accepted
Changed 8 years ago by Chris Bennett <chrisrbennett@…>
comment:10 Changed 8 years ago by mtredinnick
- Resolution set to fixed
- Status changed from new to closed
comment:11 follow-up: ↓ 12 Changed 7 years ago by gwilson
- Resolution fixed deleted
- Status changed from closed to reopened