[Django] #36547: Construction of a cookie using user-supplied input
3 views
Skip to first unread message
Django
Aug 13, 2025, 2:25:54 AMAug 13
to django-...@googlegroups.com
#36547: Construction of a cookie using user-supplied input
-----------------------------------------+--------------------------
Reporter: ptrgits | Owner: ptrgits
Type: New feature | Status: assigned
Component: Uncategorized | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
In the following cases, a cookie is constructed for a Flask response using
user input. The first uses set_cookie, and the second sets a cookie's raw
value through the set-cookie header.
{{{
from flask import request, make_response
@app.route("/1")
def set_cookie():
resp = make_response()
resp.set_cookie(request.args["name"], # BAD: User input is used to set
the cookie's name and value
value=request.args["name"])
return resp
@app.route("/2")
def set_cookie_header():
resp = make_response()
resp.headers['Set-Cookie'] =
f"{request.args['name']}={request.args['name']};" # BAD: User input is
used to set the raw cookie header.
return resp
}}}
https://en.wikipedia.org/wiki/Session_fixation
--
Ticket URL: <https://code.djangoproject.com/ticket/36547>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------------------+--------------------------
Reporter: ptrgits | Owner: ptrgits
Type: New feature | Status: assigned
Component: Uncategorized | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
In the following cases, a cookie is constructed for a Flask response using
user input. The first uses set_cookie, and the second sets a cookie's raw
value through the set-cookie header.
{{{
from flask import request, make_response
@app.route("/1")
def set_cookie():
resp = make_response()
resp.set_cookie(request.args["name"], # BAD: User input is used to set
the cookie's name and value
value=request.args["name"])
return resp
@app.route("/2")
def set_cookie_header():
resp = make_response()
resp.headers['Set-Cookie'] =
f"{request.args['name']}={request.args['name']};" # BAD: User input is
used to set the raw cookie header.
return resp
}}}
https://en.wikipedia.org/wiki/Session_fixation
--
Ticket URL: <https://code.djangoproject.com/ticket/36547>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Aug 13, 2025, 2:27:48 AMAug 13
to django-...@googlegroups.com
#36547: Construction of a cookie using user-supplied input
-------------------------------+--------------------------------------
Reporter: ptrgits | Owner: ptrgits
Type: New feature | Status: assigned
Component: Uncategorized | Version: 5.2
Severity: Normal | Resolution:
Type: New feature | Status: assigned
Component: Uncategorized | Version: 5.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by ptrgits):
https://github.com/django/django/pull/19726
--
Ticket URL: <https://code.djangoproject.com/ticket/36547#comment:1>
Django
Aug 13, 2025, 3:59:28 AMAug 13
to django-...@googlegroups.com
#36547: Construction of a cookie using user-supplied input
-------------------------------+--------------------------------------
Reporter: pTr | Owner: pTr
-------------------------------+--------------------------------------
Type: New feature | Status: closed
Component: Uncategorized | Version: 5.2
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Sarah Boyce):
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
* resolution: => invalid
* status: assigned => closed
Comment:
Hello, this ticket is not very clear. This appears to be a "New Feature"
request, but the attached PR implies a bug in `set_language`
Note that if you believe there is a bug, you should have a test/steps to
reproduce for us to confirm there is an issue. In this case, `lang_code`
is validated by `check_for_language`, so I don't think the added `quote`
call is required
--
Ticket URL: <https://code.djangoproject.com/ticket/36547#comment:2>
Reply all
Reply to author
Forward
0 new messages