#13876 assigned defect

Python 3 cookie parsing bug causing authentication problems

Reported by:	Chris Shelton <cshelton@…>	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.6.1
Component:	general	Version:	1.6
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Jun Omae)

(Originally reported at gmessage:trac-users:YYnHrPfA8Bc)

While working on an upgrade of a Trac environment from an old 0.12 setup to Trac 1.6, I have discovered a problem with the cookie parsing logic included in the SimpleCookie and/or BaseCookie routines provided by python 3. It appears that python 3 will discard all cookies from a session if any one of the cookies contains an invalid character in the name or value of the cookie. It appears that an unnamed cookie will also trigger this same behavior. The result of this bug is Trac not allowing a user to log in to the system, since the trac_auth cookie is not returned by the SimpleCookie or BaseCookie routines.

This same issue was discovered by the Django project several years ago: Django:ticket/26158

Their fix for this issue was to replace the use of SimpleCookie with manually parsing the cookies: Django:ticket/26158#comment:11

This issue is not caused by Trac setting invalid cookie names or values, it is due to a separate web application setting these cookies at a higher level in my organization, whenever people access a organization wide ERP system.

Change History (1)

comment:1 by Jun Omae, 5 hours ago

Description:	modified (diff)
Milestone:	→ 1.6.1
Owner:	set to Jun Omae
Status:	new → assigned
Version:	→ 1.6

Investigating your cookies, this is caused by whitespaces in the value of the cookies, not unnamed cookies. Also, the issue has been filed at https://github.com/python/cpython/issues/75637 (PythonBug:31456) 7 years ago, but still not fixed.

Proposed changes in [8ea65059c/jomae.git] (jomae.git@t13876).

Modify Ticket

Change Properties

Summary:
Description:	(Originally reported at gmessage:trac-users:YYnHrPfA8Bc) While working on an upgrade of a Trac environment from an old 0.12 setup to Trac 1.6, I have discovered a problem with the cookie parsing logic included in the `SimpleCookie` and/or `BaseCookie` routines provided by python 3. It appears that python 3 will discard all cookies from a session if any one of the cookies contains an invalid character in the name or value of the cookie. It appears that an unnamed cookie will also trigger this same behavior. The result of this bug is Trac not allowing a user to log in to the system, since the trac_auth cookie is not returned by the `SimpleCookie` or `BaseCookie` routines. This same issue was discovered by the Django project several years ago: Django:ticket/26158 Their fix for this issue was to replace the use of `SimpleCookie` with manually parsing the cookies: Django:ticket/26158#comment:11 This issue is not caused by Trac setting invalid cookie names or values, it is due to a separate web application setting these cookies at a higher level in my organization, whenever people access a organization wide ERP system. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as assigned The owner will remain Jun Omae.

unassign The ticket will be disowned. Next status will be 'new'.

resolve as The resolution will be set. Next status will be 'closed'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Download in other formats:

Context Navigation

#13876 assigned defect

Python 3 cookie parsing bug causing authentication problems

Description (last modified by Jun Omae)

Attachments (0)

Change History (1)

comment:1 by Jun Omae, 5 hours ago

Modify Ticket

Add Comment

by anonymous

Download in other formats: