1 Modification of the following patch for Django 1.8.15.

     2 

     3 Differences include:

     4 

     5 * moving from django/http/cookie.py (1.8.15) to

     6   django/http/__init__.py (1.4.22)

     7 

     8 * changing the import of django.utils.encoding.force_str (1.8.15) to

     9   django.utils.encoding.smart_str (1.4.22) since the former does not

    10   exist in the 1.4.22 codebase.

    11 

    12 commit 6118ab7d0676f0d622278e5be215f14fb5410b6a

    13 Author: Collin Anderson <[email protected]>

    14 Date:   Fri Mar 11 21:36:08 2016 -0500

    15 

    16     [1.8.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics.

    17 

    18     This is a security fix.

    19 

    20     Backport of "refs #26158 -- rewrote http.parse_cookie() to better match

    21     browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master

    22 

    23 

    24 --- Django-1.4.22/django/http/__init__.py.orig 2016-09-29 08:02:02.861465688 -0700

    25 +++ Django-1.4.22/django/http/__init__.py 2016-09-29 08:13:27.662250171 -0700

    26 

    27 @@ -26,6 +26,10 @@ except ImportError:

    28          from cgi import parse_qsl

    29 

    30  import Cookie

    31 +from django.utils import six

    32 +from django.utils.encoding import smart_str

    33 +from django.utils.six.moves import http_cookies

    34 +

    35  # httponly support exists in Python 2.6's Cookie library,

    36  # but not in Python 2.5.

    37  _morsel_supports_httponly = 'httponly' in Cookie.Morsel._reserved

    38 @@ -545,20 +549,23 @@ class QueryDict(MultiValueDict):

    39          return '&'.join(output)

    40 

    41  def parse_cookie(cookie):

    42 -    if cookie == '':

    43 -        return {}

    44 -    if not isinstance(cookie, Cookie.BaseCookie):

    45 -        try:

    46 -            c = SimpleCookie()

    47 -            c.load(cookie)

    48 -        except Cookie.CookieError:

    49 -            # Invalid cookie

    50 -            return {}

    51 -    else:

    52 -        c = cookie

    53 +    """

    54 +    Return a dictionary parsed from a `Cookie:` header string.

    55 +    """

    56      cookiedict = {}

    57 -    for key in c.keys():

    58 -        cookiedict[key] = c.get(key).value

    59 +    if six.PY2:

    60 +        cookie = smart_str(cookie)

    61 +    for chunk in cookie.split(str(';')):

    62 +        if str('=') in chunk:

    63 +            key, val = chunk.split(str('='), 1)

    64 +        else:

    65 +            # Assume an empty name per

    66 +            # https://bugzilla.mozilla.org/show_bug.cgi?id=169091

    67 +            key, val = str(''), chunk

    68 +        key, val = key.strip(), val.strip()

    69 +        if key or val:

    70 +            # unquote using Python's algorithm.

    71 +            cookiedict[key] = http_cookies._unquote(val)

    72      return cookiedict

    73 

    74  class BadHeaderError(ValueError):