Opened 17 years ago

Closed 17 years ago

#6764 closed (fixed)

Invalid Cookies cause Stacktrace in middleware

Reported by: Michael Axiak Owned by: nobody
Component: HTTP handling Version: dev
Severity: Keywords: cookies, http
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If someone uses SessionMiddlware, any request with invalid cookies will result in a stack trace. For instance, someone visited a site with the cookie "lang:xml=ru".

If one were to use wget, you can repeat this on a number of sites:

 $ wget --header "Cookie: lang:xml=ru" http://www.djangoprojects.com
--09:06:39--  http://www.djangoproject.com/
           => `-'
Resolving www.djangoproject.com... 64.207.133.18
Connecting to www.djangoproject.com|64.207.133.18|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
09:06:40 ERROR 500: Internal Server Error.

(It's also amazing how many Django developers are lazy enough to leave PythonDebug on, but that's not fixable.)

Attached is a patch to have invalid cookies result in no cookies at all, along with a test.

Someone might decide to emit a warning or something, that's not included in this patch.

Attachments (1)

safe_cookie.diff (1.1 KB ) - added by Michael Axiak 17 years ago.
Patch to squelch cookie parsing errors.

Download all attachments as: .zip

Change History (4)

by Michael Axiak, 17 years ago

Attachment: safe_cookie.diff added

Patch to squelch cookie parsing errors.

comment:1 by Michael Axiak, 17 years ago

I guess this is a dupe of #6507, though I'm not sure I agree that there needs to be a way to get some of the keys if one of them is bad. (Hence the need for subclassing the Morsel and Cookie class)

comment:2 by Malcolm Tredinnick, 17 years ago

Triage Stage: UnreviewedReady for checkin

#6507 is overkill for this problem.

comment:3 by Malcolm Tredinnick, 17 years ago

Resolution: fixed
Status: newclosed

(In [7257]) Fixed #6764 -- Added some error checking around cookie decoding. Thanks,
Michael Axiak.

Note: See TracTickets for help on using tickets.
Back to Top