Source: python-django-formtools
Version: 2.5.1-3
Severity: serious
Tags: patch
Hi,
The fix for CVE-2026-6873 in Django now prevents certain kinds of manual
cookie comparison, which django-formtools performs in one of its tests:
61s ======================================================================
61s FAIL: test_reset_cookie
(tests.wizard.test_cookiestorage.TestCookieStorage.test_reset_cookie)
61s ----------------------------------------------------------------------
61s Traceback (most recent call last):
61s File
"/tmp/autopkgtest-lxc._ba8av8t/downtmp/build.9sR/src/tests/wizard/test_cookiestorage.py",
line 40, in test_reset_cookie
61s self.assertEqual(response.cookies[storage.prefix].value,
signed_cookie_data)
61s
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
61s AssertionError:
'{"key1":"value1"}:1wXUN8:wGU8PZi0VS8ZKun8bclQFzQcUCM7S-r7O0Hlcx73z-w' !=
'{"key1":"value1"}:1wXUN8:gUNArgDuXseaa0sqjhu6zALXybaEDQN-zOw8C8kPuD0'
61s - {"key1":"value1"}:1wXUN8:wGU8PZi0VS8ZKun8bclQFzQcUCM7S-r7O0Hlcx73z-w
61s + {"key1":"value1"}:1wXUN8:gUNArgDuXseaa0sqjhu6zALXybaEDQN-zOw8C8kPuD0
This has been reported upstream:
https://github.com/jazzband/django-formtools/issues/298
A patch is attached that detects the affected Django versions and will skip
this test, thus preventing an FTBFS (and autopkgtest failures when trying to
get 5.2.15 into testing).
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git tests/wizard/test_cookiestorage.py tests/wizard/test_cookiestorage.py
index aa6c7a8..ce76988 100644
--- tests/wizard/test_cookiestorage.py
+++ tests/wizard/test_cookiestorage.py
@@ -1,3 +1,7 @@
+import django
+
+from unittest import skipIf
+
from django.core import signing
from django.http import HttpResponse
from django.test import TestCase
@@ -26,6 +30,7 @@ class TestCookieStorage(TestStorage, TestCase):
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
self.assertIsNone(storage.load_data())
+ @skipIf(django.VERSION >= (5, 2, 15), reason="Fix for CVE-2026-6873
prevents manual cookie comparison.")
def test_reset_cookie(self):
request = get_request()
storage = self.get_storage()('wizard1', request, None)
