Opened 8 years ago

Closed 8 years ago

#6764 closed (fixed)

Invalid Cookies cause Stacktrace in middleware

Reported by: axiak Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: cookies, http
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


If someone uses SessionMiddlware, any request with invalid cookies will result in a stack trace. For instance, someone visited a site with the cookie "lang:xml=ru".

If one were to use wget, you can repeat this on a number of sites:

 $ wget --header "Cookie: lang:xml=ru"
           => `-'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
09:06:40 ERROR 500: Internal Server Error.

(It's also amazing how many Django developers are lazy enough to leave PythonDebug on, but that's not fixable.)

Attached is a patch to have invalid cookies result in no cookies at all, along with a test.

Someone might decide to emit a warning or something, that's not included in this patch.

Attachments (1)

safe_cookie.diff (1.1 KB) - added by axiak 8 years ago.
Patch to squelch cookie parsing errors.

Download all attachments as: .zip

Change History (4)

Changed 8 years ago by axiak

Patch to squelch cookie parsing errors.

comment:1 Changed 8 years ago by axiak

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I guess this is a dupe of #6507, though I'm not sure I agree that there needs to be a way to get some of the keys if one of them is bad. (Hence the need for subclassing the Morsel and Cookie class)

comment:2 Changed 8 years ago by mtredinnick

  • Triage Stage changed from Unreviewed to Ready for checkin

#6507 is overkill for this problem.

comment:3 Changed 8 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [7257]) Fixed #6764 -- Added some error checking around cookie decoding. Thanks,
Michael Axiak.

Note: See TracTickets for help on using tickets.
Back to Top