[Django] #18403: Issue with redefined SimpleCookie with invalid cookie name
Django
--------------------------------------------+--------------------
Reporter: Stefano Crosta <stefano@…> | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.4
Severity: Normal | Keywords: cookie
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------------+--------------------
To provoke the error:
{{{
from django.http import HttpResponse
response= HttpResponse()
response.set_cookie("a:.b/",1)
}}}
> AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies'
with a python version that does not accept colons (":") in the cookie
name.
Django http/__init__.py redefines the SimpleCookie, and initializes
{{{bad_cookies}}} in a method {{{load(self, rawdata)}}} that does not seem
to be called in this case.
Beside the obvious fact that the cookie name is totally invalid, it looks
like {{{bad_cookies}}} is not correctly initialized (I wouldn't mind an
error, but a real one!)
Or am I using set_cookie uncorrectly here?
--
Ticket URL: <https://code.djangoproject.com/ticket/18403>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Stefano Crosta | Owner: nobody
<stefano@…> | Status: new
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution:
Severity: Normal | Triage Stage:
Keywords: cookie | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by ramiro):
* needs_docs: => 0
* needs_tests: => 0
* needs_better_patch: => 0
Old description:
> To provoke the error:
>
> {{{
> from django.http import HttpResponse
> response= HttpResponse()
> response.set_cookie("a:.b/",1)
> }}}
>
> > AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies'
>
> with a python version that does not accept colons (":") in the cookie
> name.
>
> Django http/__init__.py redefines the SimpleCookie, and initializes
> {{{bad_cookies}}} in a method {{{load(self, rawdata)}}} that does not
> seem to be called in this case.
>
> Beside the obvious fact that the cookie name is totally invalid, it looks
> like {{{bad_cookies}}} is not correctly initialized (I wouldn't mind an
> error, but a real one!)
>
> Or am I using set_cookie uncorrectly here?
New description:
To provoke the error:
{{{
from django.http import HttpResponse
response= HttpResponse()
response.set_cookie("a:.b/",1)
> AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies'
}}}
with a python version that does not accept colons (":") in the cookie
name.
Django http/__init__.py redefines the SimpleCookie, and initializes
{{{bad_cookies}}} in a method {{{load(self, rawdata)}}} that does not seem
to be called in this case.
Beside the obvious fact that the cookie name is totally invalid, it looks
like {{{bad_cookies}}} is not correctly initialized (I wouldn't mind an
error, but a real one!)
Or am I using set_cookie uncorrectly here?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:1>
Django
Reporter: Stefano Crosta | Owner: nobody
<stefano@…> | Status: new
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution:
Keywords: cookie | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by lukeplant):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:2>
Django
Reporter: Stefano Crosta | Owner: e0ne
<stefano@…> | Status: assigned
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* owner: nobody => e0ne
* status: new => assigned
Comment:
Here is pull request with fix https://github.com/django/django/pull/1605
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:3>
Django
Reporter: Stefano Crosta | Owner: e0ne
<stefano@…> | Status: assigned
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Needs tests: 1 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by timo):
* has_patch: 0 => 1
* needs_tests: 0 => 1
Comment:
This needs a test as well.
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:4>
Django
Reporter: Stefano Crosta | Owner: e0ne
<stefano@…> | Status: assigned
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by timo):
* needs_tests: 1 => 0
Comment:
Test was added, but fails on Python 3. Python 3 appears to fail loudly on
a bad cookie key rather than storing the key in `bad_cookies`. Question is
whether Django should catch this exception to maintain the same behavior
as Python 2 or if we should simply skip the new test on Python 3.
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:5>
Django
Reporter: Stefano Crosta | Owner: e0ne
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution: fixed
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"f2a44528825ac07ca28c8bb7dc01b4375df8dc2c"]:
{{{
#!CommitTicketReference repository=""
revision="f2a44528825ac07ca28c8bb7dc01b4375df8dc2c"
Fixed #18403 -- Initialized bad_cookies in SimpleCookie
Thanks Stefano Crosta for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:6>
Django
Reporter: Stefano Crosta | Owner: e0ne
<stefano@…> | Status: closed
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution: fixed
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by fabian):
I'm having this issue in Django 1.6.1 - is this really fixed !?
{{{#!python
response = HttpResponse(json.dumps(result))
response.set_cookie(response, '123', expires=expires)
}}}
{{{
Internal Server Error: /goodies/ajax/authenticate_goody/
Traceback (most recent call last):
File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7
/site-packages/django/core/handlers/base.py", line 114, in get_response
response = wrapped_callback(request, *callback_args,
**callback_kwargs)
File "/Users/rothfuchs/Documents/workspace/mygoody/goodies/ajax.py",
line 30, in authenticate_goody
response.set_cookie(response, '123', expires=expires)
File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7
/site-packages/django/http/response.py", line 229, in set_cookie
self.cookies[key] = value
File
"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/Cookie.py",
line 592, in __setitem__
self.__set(key, rval, cval)
File "/Users/rothfuchs/Documents/workspace/mygoody/pyenv/lib/python2.7
/site-packages/django/http/cookie.py", line 67, in _BaseCookie__set
self.bad_cookies.add(key)
AttributeError: 'SimpleCookie' object has no attribute 'bad_cookies'
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:7>
Django
Reporter: Stefano Crosta | Owner: e0ne
<stefano@…> | Status: closed
Type: Bug | Version: 1.4
Component: HTTP handling | Resolution: fixed
Severity: Normal | Triage Stage: Accepted
Keywords: cookie | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by timo):
If you look at the commit above, you'll see it's present on master/1.7a1.
It won't be backported to 1.6 as it's not a regression (ticket was open 20
months before it was fixed).
--
Ticket URL: <https://code.djangoproject.com/ticket/18403#comment:8>