|
1 Modification of the following patch for Django 1.8.15. |
|
2 |
|
3 Differences include: |
|
4 |
|
5 * moving from django/http/cookie.py (1.8.15) to |
|
6 django/http/__init__.py (1.4.22) |
|
7 |
|
8 * changing the import of django.utils.encoding.force_str (1.8.15) to |
|
9 django.utils.encoding.smart_str (1.4.22) since the former does not |
|
10 exist in the 1.4.22 codebase. |
|
11 |
|
12 commit 6118ab7d0676f0d622278e5be215f14fb5410b6a |
|
13 Author: Collin Anderson <[email protected]> |
|
14 Date: Fri Mar 11 21:36:08 2016 -0500 |
|
15 |
|
16 [1.8.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics. |
|
17 |
|
18 This is a security fix. |
|
19 |
|
20 Backport of "refs #26158 -- rewrote http.parse_cookie() to better match |
|
21 browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master |
|
22 |
|
23 |
|
24 --- Django-1.4.22/django/http/__init__.py.orig 2016-09-29 08:02:02.861465688 -0700 |
|
25 +++ Django-1.4.22/django/http/__init__.py 2016-09-29 08:13:27.662250171 -0700 |
|
26 |
|
27 @@ -26,6 +26,10 @@ except ImportError: |
|
28 from cgi import parse_qsl |
|
29 |
|
30 import Cookie |
|
31 +from django.utils import six |
|
32 +from django.utils.encoding import smart_str |
|
33 +from django.utils.six.moves import http_cookies |
|
34 + |
|
35 # httponly support exists in Python 2.6's Cookie library, |
|
36 # but not in Python 2.5. |
|
37 _morsel_supports_httponly = 'httponly' in Cookie.Morsel._reserved |
|
38 @@ -545,20 +549,23 @@ class QueryDict(MultiValueDict): |
|
39 return '&'.join(output) |
|
40 |
|
41 def parse_cookie(cookie): |
|
42 - if cookie == '': |
|
43 - return {} |
|
44 - if not isinstance(cookie, Cookie.BaseCookie): |
|
45 - try: |
|
46 - c = SimpleCookie() |
|
47 - c.load(cookie) |
|
48 - except Cookie.CookieError: |
|
49 - # Invalid cookie |
|
50 - return {} |
|
51 - else: |
|
52 - c = cookie |
|
53 + """ |
|
54 + Return a dictionary parsed from a `Cookie:` header string. |
|
55 + """ |
|
56 cookiedict = {} |
|
57 - for key in c.keys(): |
|
58 - cookiedict[key] = c.get(key).value |
|
59 + if six.PY2: |
|
60 + cookie = smart_str(cookie) |
|
61 + for chunk in cookie.split(str(';')): |
|
62 + if str('=') in chunk: |
|
63 + key, val = chunk.split(str('='), 1) |
|
64 + else: |
|
65 + # Assume an empty name per |
|
66 + # https://bugzilla.mozilla.org/show_bug.cgi?id=169091 |
|
67 + key, val = str(''), chunk |
|
68 + key, val = key.strip(), val.strip() |
|
69 + if key or val: |
|
70 + # unquote using Python's algorithm. |
|
71 + cookiedict[key] = http_cookies._unquote(val) |
|
72 return cookiedict |
|
73 |
|
74 class BadHeaderError(ValueError): |