Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Raphael Kubo da Costa <kubo-Y3ZbgMPKUGA34EUeqzHoZw <at> public.gmane.org>
Subject: Re: Is using version 2 of the pickle protocol in {DB,FileBased}Cache
Newsgroups: gmane.comp.python.django.devel
Date: Tuesday 19th April 2011 15:05:46 UTC (over 6 years ago)
Paul McMillan  writes:

> Yes, SimpleCookie is known to be an unpickleable class. We shouldn't
> be directly pickling it anywhere in Django. In your code, you should
> probably turn the cookie into a string before caching it. I'm not
> clear if the bug you're experiencing is happening in Django's code or
> something your application is doing directly with SimpleCookie.

[snip]

> I think that your provided test case is trying to do something that is
> explicitly not supported, but I'm unclear on whether or not there is
> an issue in Django-provided code. Could you provide a little more
> information?

Hi Paul,

I am not trying to pickle SimpleCookie directly -- in fact, I enabled
the cache middlewares in settings.py and then set CACHE_BACKEND to
'file:///some/directory'.

I then had a view with no specific cache decorators, but since the
session backend is also on it added the `Vary: Cookie' header.

After that, I started noticing that a login page including the
`csrf_token' tag started repeating the token when I used curl to access
it without providing any cookies or login credentials. And after the
first time I accessed it, the Set-Cookie header started misbehaving like
it did in the test case I attached -- instead of looking like

  Set-Cookie: foo=bar; other-parameters;

it was looking like

  Set-Cookie: foo="Set-Cookie: foo=bar; other-parameters;"

and the value in the csrf tag was being expanded to something along the
lines of "Set-Cookie: foo=bar; other-parameters;", so validation failed
later.

Some investigation led me to find the problem in the cache backend I was
using, as the cookies inside the cached HttpResponse were being
serialized incorrectly and later picked by FetchFromCacheMiddleware.

-- 
Raphael Kubo da Costa
ProFUSION embedded systems
http://profusion.mobi

-- 
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to
django-developers-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
django-developers+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
 
CD: 3ms