Re: [Django] #32191: Not RFC 6265 compliant cookies in contrib.messages.

Sat, 28 Nov 2020 21:54:19 -0800 

#32191: Not RFC 6265 compliant cookies in contrib.messages.
----------------------------------+---------------------------------------
     Reporter:  Nico Giefing      |                    Owner:  Craig Smith
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.messages  |                  Version:  3.1
     Severity:  Normal            |               Resolution:
     Keywords:  Cookie malformed  |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+---------------------------------------

Comment (by Craig Smith):

 Hi All,
 I have started over. This the new
 [https://github.com/django/django/pull/13732 PR].

 Still some more work to do on it though.

 I have opted to use latin-1 to encode internal to the new functions as we
 use latin-1 elsewhere. I was surprised when using utf-8 that a character
 was unrecognised when calling
 `decompress_b64(request.cookies['messages'].value)` in the
 `messages_tests.test_mixins.test_set_messages_success` test. But using
 latin-1 works. UTF-8 would be better, IMHO because we could store messages
 in many more languages, but those changes would need to be a bit more
 widespread and possibly have a bigger impact. But as the latin-1 character
 set is contained in utf-8, all we'd need to do is change our latin-1
 encodings to utf-8 - is that something we should do here, or maybe bring
 it up on the mailing list?

 Going forward, I will add tests, in particular to confirm RFC6265
 compliant message cookies, and I will attempt integrating the new
 functions as methods of the signer base class.

 **Another question**: `signing.dumps` currently takes a `compress=False`
 keyword arg, should this be passed through to the `sign` method? Or should
 the `sign` method compress and base64 encode by default?

 Thanks for reading.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32191#comment:22>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.930b5d7216bcb5c942fa427eb8117b95%40djangoproject.com.

Reply via email to