#15863: SimpleCookies are not correctly serialized with the file or database
cache
backends
--------------------+------------------------------------
Reporter: rakuco | Owner: PaulM
Type: Bug | Status: new
Milestone: | Component: Core (Cache system)
Version: 1.2 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 |
--------------------+------------------------------------
As discussed in the
[http://article.gmane.org/gmane.comp.python.django.devel/31913 django-
developers mailing list], it appears that !SimpleCookies in !HttpResponses
are not being correctly serialized when one uses either the file or the
database cache backends.
The following steps are enough to trigger the incorrect behaviour:
1. Enable !UpdateCacheMiddleware and !FetchFromCacheMiddleware in
settings.py, and set CACHE_BACKEND accordingly
1. Enable !SessionMiddleware and !CsrfViewMiddleware
1. Have a view with a simple form and no specific cache decorators. Since
the session application is being used, the `Vary: Cookie` header will be
added anyway.
1. In the template used by the view, include the `csrf_token` tag, as
usual.
1. Access the view, either via curl or a web browser.
1. The first time the view is accessed, the csrf token is both set in the
header as a cookie and displayed as a hidden form element, as expected.
The header has the format `Set-Cookie: csrftoken=XX; Max-Age: YY; Path=/`.
1. The next times the view is accessed, the cookie header has the format
`Set-Cookie: csrftoken="Set-Cookie: csrftoken=XX Max-Age: YY; Path=/"`,
and so has the csrf form element, which causes the submitted form to be
invalid when the csrf checks are made.
It turns out that `UpdateCacheMiddleware` serializes the returned
!HttpResponse in `process_response`, and both the file and the database
cache backends use `pickle.dumps` with protocol=pickle.HIGHEST_PROTOCOL.
It is known that [http://bugs.python.org/issue826897 SimpleCookies are
incompatible with pickle.HIGHEST_PROTOCOL]. !FetchFromCacheMiddleware
later retrieves this same !HttpResponse and returns it, however the
cookies have invalid values.
The attached testcase triggers the problem in the unit tests.
--
Ticket URL: <http://code.djangoproject.com/ticket/15863>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
