Opened 17 years ago
Closed 17 years ago
#6764 closed (fixed)
Invalid Cookies cause Stacktrace in middleware
| Reported by: | Michael Axiak | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Keywords: | cookies, http | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If someone uses SessionMiddlware, any request with invalid cookies will result in a stack trace. For instance, someone visited a site with the cookie "lang:xml=ru".
If one were to use wget, you can repeat this on a number of sites:
$ wget --header "Cookie: lang:xml=ru" http://www.djangoprojects.com --09:06:39-- http://www.djangoproject.com/ => `-' Resolving www.djangoproject.com... 64.207.133.18 Connecting to www.djangoproject.com|64.207.133.18|:80... connected. HTTP request sent, awaiting response... 500 Internal Server Error 09:06:40 ERROR 500: Internal Server Error.
(It's also amazing how many Django developers are lazy enough to leave PythonDebug on, but that's not fixable.)
Attached is a patch to have invalid cookies result in no cookies at all, along with a test.
Someone might decide to emit a warning or something, that's not included in this patch.
Attachments (1)
Change History (4)
by , 17 years ago
| Attachment: | safe_cookie.diff added |
|---|
comment:1 by , 17 years ago
I guess this is a dupe of #6507, though I'm not sure I agree that there needs to be a way to get some of the keys if one of them is bad. (Hence the need for subclassing the Morsel and Cookie class)
comment:2 by , 17 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
#6507 is overkill for this problem.
comment:3 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Patch to squelch cookie parsing errors.