Re: [Django] #32191: Not RFC 6265 compliant cookies in contrib.messages.

Wed, 02 Dec 2020 20:07:42 -0800 

#32191: Not RFC 6265 compliant cookies in contrib.messages.
----------------------------------+---------------------------------------
     Reporter:  Nico Giefing      |                    Owner:  Craig Smith
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.messages  |                  Version:  3.1
     Severity:  Normal            |               Resolution:
     Keywords:  Cookie malformed  |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+---------------------------------------

Comment (by Craig Smith):

 Hi Florian, thanks for your feedback. I see what you mean about the Euro
 symbol and unicode characters in general. To get around this I added a
 `charset` parameter to the `compress/decompress` methods. So we can use
 utf-8 by default, but latin-1 where required.

 We need to use latin-1 in the `signing.dumps/loads` functions, since the
 `signing.JSONSerializer` uses it. Swapping it out leads us into that
 hornet's nest.

 The two tests that require latin-1 are
 `messages_tests.test_mixins.test_set_messages_success` and
 `messages_tests.test_cookie.test_cookie_settings`. This happens because of
 one or two calls to `storage.add` and `storage.update` . As an experiment
 I replaced all occurrences of latin-1 and iso-8859-1 with utf-8 to see if
 those tests would pass - they wouldn't. So it's from a dependency outside
 of django, most likely to do with WSGI, which uses latin-1 somehow. The
 bytes in particular are 0x91 and 0x92, which are left and right single
 quote characters in latin-1. Maybe we should open another ticket about
 removing the iso-8859-1 charset. Or at least pushing it back further
 toward the dependency boundary.

 I will get back onto this in a few days and come up with those extra
 tests. And then probably need to add documentation about the new methods.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32191#comment:24>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.3325c424374b4e9d293b3cdf15120cb9%40djangoproject.com.

Reply via email to