[Django] #28690: django.utils.http.parse_http_date two digit year check is incorrect
Django
-----------------------------------------+------------------------
Reporter: Mads Jensen | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-----------------------------------------+------------------------
RFC 850 does not mention this, but in RFC 7231 (and there's something
similar in RFC 2822), there's the following quote:
Recipients of a timestamp value in rfc850-date format, which uses a
two-digit year, MUST interpret a timestamp that appears to be more
than 50 years in the future as representing the most recent year in
the past that had the same last two digits.
The `< 70` is incorrect, and should have been `< 50`. I inserted a diff
that applies.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Mads Jensen | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Mads Jensen):
* Attachment "parse-http-date-year.patch" added.
Django
Reporter: Mads Jensen | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Claude Paroz):
* component: Uncategorized => Utilities
* stage: Unreviewed => Accepted
Comment:
Accepted, however I don't think your patch is correct. The check should be
relative to the current year, if I read the RFC quote correctly.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:1>
Django
Reporter: Mads Jensen | Owner: Baguage
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Baguage):
* status: new => assigned
* owner: nobody => Baguage
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:2>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Alexander Vyushkov):
* has_patch: 0 => 1
Comment:
Created a pull request: Created a pull request:
https://github.com/django/django/pull/9214
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:3>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Levi Payne):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:4>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Levi Payne):
* stage: Ready for checkin => Accepted
Comment:
Still some suggested edits on the PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:5>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:6>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Alexander Vyushkov):
* needs_better_patch: 1 => 0
Comment:
I added regression test that fails with old code
(test_parsing_rfc850_year_69), updated commit message to hopefully follow
the guidelines, and added additional comments about the change. Squashed
commits as well.
Could you review the pull request again?
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:7>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:8>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Alexander Vyushkov):
* needs_better_patch: 1 => 0
Comment:
sent new pull request
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:9>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Carlton Gibson):
* needs_better_patch: 0 => 1
Comment:
This is awaiting for changes from Tim's feedback on PR.
(Please uncheck "Patch needs improvement" again when that's done. 🙂)
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:10>
Django
Reporter: Mads Jensen | Owner: Alexander
| Vyushkov
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Tameesh Biswas):
As this issue hasn't received any updates in the last 6 months, may I work
on this ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:11>
Django
Reporter: Mads Jensen | Owner: (none)
Type: Bug | Status: new
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Alexander Vyushkov):
* status: assigned => new
* owner: Alexander Vyushkov => (none)
Comment:
Go for it, I don't think I will have time to finish it.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:12>
Django
Reporter: Mads Jensen | Owner: Tameesh Biswas
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Tameesh Biswas):
* status: new => assigned
* owner: (none) => Tameesh Biswas
Comment:
Thanks, I'll open pick up from where you left off in the PR and make the
recommended changes on a new PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:13>
Django
Reporter: Mads Jensen | Owner: Tameesh Biswas
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Vishvajit Pathak):
Tameesh Biswas
Are you working on this ?
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:14>
Django
Reporter: Mads Jensen | Owner: Tameesh Biswas
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Tameesh Biswas):
Yes, I am.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:15>
Django
Reporter: Mads Jensen | Owner: Tameesh Biswas
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Tameesh Biswas):
I've just picked up from the previous PR and opened a new PR here:
https://github.com/django/django/pull/10749
It adds regression tests in the first commit that pass without applying
the fix and adds the fix with another test-case that only passes with the
fix applied.
Could you please review the changes?
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:16>
Django
Reporter: Mads Jensen | Owner: Tameesh Biswas
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Simon Charette):
Tameesh, I left a comment on the PR regarding the use of non-UTC
''today''.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:17>
Django
Reporter: Mads Jensen | Owner: David Jovanović
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by David Jovanović):
* owner: Tameesh Biswas => David Jovanović
Comment:
As an issue haven't received an update for 4 months, I'm taking it over
(djangocon europe 2019 sprint day 1).
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:18>
Django
Reporter: Mads Jensen | Owner: David Jovanović
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by David Jovanović):
Created new PR: https://github.com/django/django/pull/11212
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:19>
Django
Reporter: Mads Jensen | Owner: David Jovanović
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by David Jovanović):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:20>
Django
Reporter: Mads Jensen | Owner: David Jovanović
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Bell):
I think an earlier comment by Simon Charette (about using a fixed year in
the tests) still applies to the new PR; I've added it.
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:21>
Django
Reporter: Mads Jensen | Owner: David Jovanović
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Bell):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:22>
Django
Reporter: Mads Jensen | Owner: Ad Timmering
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Ad Timmering):
* cc: Ad Timmering (added)
* owner: David Jovanović => Ad Timmering
Old description:
> RFC 850 does not mention this, but in RFC 7231 (and there's something
> similar in RFC 2822), there's the following quote:
>
> Recipients of a timestamp value in rfc850-date format, which uses a
> two-digit year, MUST interpret a timestamp that appears to be more
> than 50 years in the future as representing the most recent year in
> the past that had the same last two digits.
>
> The `< 70` is incorrect, and should have been `< 50`. I inserted a diff
> that applies.
New description:
RFC 850 does not mention this, but in RFC 7231 (and there's something
similar in RFC 2822), there's the following quote:
Recipients of a timestamp value in rfc850-date format, which uses a
two-digit year, MUST interpret a timestamp that appears to be more
than 50 years in the future as representing the most recent year in
the past that had the same last two digits.
Current logic is hard coded to consider 0-69 to be in 2000-2069, and 70-99
to be 1970-1999, instead of comparing versus the current year.
--
Comment:
Taking the liberty to reassign due to inactivity (6 months) and adding a
pull request with revised code and addressing feedback on prior PRs.
Please add give your comments for any concerns:)
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:23>
Django
Reporter: Mads Jensen | Owner: Ad Timmering
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Ad Timmering):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:24>
Django
-----------------------------+----------------------------------------
Reporter: Mads Jensen | Owner: Ad Timmering
Type: Bug | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"7cbd25a06e820cbd1a0bfbc339fb7d9a737c54fa" 7cbd25a]:
{{{
#!CommitTicketReference repository=""
revision="7cbd25a06e820cbd1a0bfbc339fb7d9a737c54fa"
Refs #28690 -- Added more tests for parse_http_date().
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:25>
Django
-----------------------------+----------------------------------------
Reporter: Mads Jensen | Owner: Ad Timmering
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"7b5f8acb9e6395a1660dd7bfeb365866ca8ef47c" 7b5f8ac]:
{{{
#!CommitTicketReference repository=""
revision="7b5f8acb9e6395a1660dd7bfeb365866ca8ef47c"
Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:26>
Django
-----------------------------+----------------------------------------
Reporter: Mads Jensen | Owner: Ad Timmering
Type: Bug | Status: closed
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"f38655ed1c701ebbaffab15cc6ae56376b9c25ba" f38655e]:
{{{
#!CommitTicketReference repository=""
revision="f38655ed1c701ebbaffab15cc6ae56376b9c25ba"
[3.0.x] Refs #28690 -- Added more tests for parse_http_date().
Backport of 7cbd25a06e820cbd1a0bfbc339fb7d9a737c54fa from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:27>
Django
-----------------------------+----------------------------------------
Reporter: Mads Jensen | Owner: Ad Timmering
Type: Bug | Status: closed
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"556d0c08bded4cdeaedd513c4c73dbf05fd8650e" 556d0c0]:
{{{
#!CommitTicketReference repository=""
revision="556d0c08bded4cdeaedd513c4c73dbf05fd8650e"
[3.0.x] Fixed #28690 -- Fixed handling of two-digit years in
parse_http_date().
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
Backport of 7b5f8acb9e6395a1660dd7bfeb365866ca8ef47c from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28690#comment:28>