Opened 5 weeks ago
Last modified 5 weeks ago
#13876 assigned defect
Python 3 cookie parsing bug causing authentication problems
| Reported by: | Owned by: | Jun Omae | |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.6.1 |
| Component: | general | Version: | 1.6 |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
(Originally reported at gmessage:trac-users:YYnHrPfA8Bc)
While working on an upgrade of a Trac environment from an old 0.12 setup to Trac 1.6, I have discovered a problem with the cookie parsing logic included in the SimpleCookie and/or BaseCookie routines provided by python 3. It appears that python 3 will discard all cookies from a session if any one of the cookies contains an invalid character in the name or value of the cookie. It appears that an unnamed cookie will also trigger this same behavior. The result of this bug is Trac not allowing a user to log in to the system, since the trac_auth cookie is not returned by the SimpleCookie or BaseCookie routines.
This same issue was discovered by the Django project several years ago: Django:ticket/26158
Their fix for this issue was to replace the use of SimpleCookie with manually parsing the cookies:
Django:ticket/26158#comment:11
This issue is not caused by Trac setting invalid cookie names or values, it is due to a separate web application setting these cookies at a higher level in my organization, whenever people access a organization wide ERP system.
Attachments (0)
Change History (4)
comment:1 by , 5 weeks ago
| Description: | modified (diff) |
|---|---|
| Milestone: | → 1.6.1 |
| Owner: | set to |
| Status: | new → assigned |
| Version: | → 1.6 |
comment:2 by , 5 weeks ago
Your proposed change from comment:1 seems to resolve the issue that I was having with cookie parsing causing an inability to log in to my new Trac 1.6 environment. I will do some additional testing over the next few days, but I believe that this fix resolves my issue.
Thanks for your prompt help!
comment:3 by , 5 weeks ago
I have continued to use a modified version of Trac with the proposed changes to resolve this issue with cookie parsing in Python 3 for the past several days. So far, the fix by Jun has been working well, and resolves the issues that I was having.
Investigating your cookies, this is caused by whitespaces in the value of the cookies, not unnamed cookies. Also, the issue has been filed at https://github.com/python/cpython/issues/75637 (PythonBug:31456) 7 years ago, but still not fixed.
Proposed changes in [8ea65059c/jomae.git] (jomae.git@t13876).