#36547: Construction of a cookie using user-supplied input
-----------------------------------------+--------------------------
Reporter: ptrgits | Owner: ptrgits
Type: New feature | Status: assigned
Component: Uncategorized | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
In the following cases, a cookie is constructed for a Flask response using
user input. The first uses set_cookie, and the second sets a cookie's raw
value through the set-cookie header.
{{{
from flask import request, make_response
@app.route("/1")
def set_cookie():
resp = make_response()
resp.set_cookie(request.args["name"], # BAD: User input is used to set
the cookie's name and value
value=request.args["name"])
return resp
@app.route("/2")
def set_cookie_header():
resp = make_response()
resp.headers['Set-Cookie'] =
f"{request.args['name']}={request.args['name']};" # BAD: User input is
used to set the raw cookie header.
return resp
}}}
https://en.wikipedia.org/wiki/Session_fixation
--
Ticket URL: <https://code.djangoproject.com/ticket/36547>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070198a21b2ba4-36eb5f93-cece-4d8e-94e7-ad07320745c5-000000%40eu-central-1.amazonses.com.
