#33212: Incorrect cookie parsing by django.http.cookie.parse_cookie
-----------------------------------+--------------------------------------
Reporter: Christos Georgiou | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: 3.2
Severity: Normal | Resolution:
Keywords: cookies | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Comment (by Florian Apolloner):
I have been thinking about this and I am a bit torn.
First and foremost I do not agree with the OP when they say:
> `django_cookie=good_value; third_party="some_cookie=some_value;
django_cookie=bad_value"`
> ...
> One would expect `django_cookie` to have `good_value`.
Why would one expect `django_cookie` to have `good_value`? That example
Cookie header is invalid per the specification. As such it should never
have existed and the "proper" way would be to simply ignore the header
completely. Now the question is how much we'd break why that :D I am a bit
afraid to do so because in practice django_cookie=" a b c" will probably
work well enough through most servers even though it is also invalid.
I agree with Collin that changing the order would be a good start to bring
us in line with what the rest of the frameworks does -- simply to ensure
that a proxy that operates on cookies does not choose the other variant.
That said, that proxy/waf should get fixed as well.
It is true that this does have security impacts, but an attacker would be
able to control the cookie values in interesting ways and in most cases
the cookie values don't contain enough interesting material. Even sending
two session ids will only cause problems if the proxy before also performs
ACL-checks against that session id. But since we never know what this
proxy does, we cannot fix it, because the fix might result in a
vulnerability in the first place.
Given that most websites seem to be fine with the current behavior I'd be
okay to add a strict cookie parsing (and also for set-cookie) behind a
setting (as much as I hate settings I expect a non-minimal amount of
websites to have invalid cookies). Similar discussion happened on
https://code.djangoproject.com/ticket/32191 where Django itself created
invalid cookies.
--
Ticket URL: <https://code.djangoproject.com/ticket/33212#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/062.50ab18d7d0d1d3436e9b57262d89096f%40djangoproject.com.
