over 1 year ago

I have actually found a bug in Django:

Here is the issue: You cannot have a cookie which key contains either the character '[' or ']'

I discovered the solution following @Todor's link, then I found out about this SO post. Basically there was a bug in python 2.7.x that does not parse cookies with ']' in the value. The bug was fixed in 2.7.10.

I thought it would be good to just confirm this issue. So I dug through all of the cookies and found one with the following key/value:

key: BDRCVFR[feWj1Vr5u3D]
val: I67x6TjHwwYf0

So I inserted the following cookie locally and submitted to the server:

key: test
val: BDRCVFR[feWj1Vr5u3D]

The login page worked, which means 2.7.10 indeed fixed the bug.

But then I realized that the square brackets are actually in the key name not in the value, so I did the following tests:

key: [
val: I67x6TjHwwYf0

and

key:]
val: I67x6TjHwwYf0

Both cookies break the login process and django displays:

CSRF cookie not set

If a invalid cookie comes before the csrftoken cookie in the Cookie field of the http request header, then Django will ignore everything after the invalid cookie, which makes Django think that the CSRF cookie is not set

I filed a bug report to Django. This bug is fixed in version 1.10 so make sure you update Django when 1.10 is released.

← JavaScript what happens when newing an object Install Python3 and virtualenv on Mac →
 
comments powered by Disqus