"Unknown Error" on weird cookie with space in value

[prigaux]

Code Version

8.4.0

Expected Behavior

If the browser sends Cookie: foo: bar boo; SATOSA..., the cookie foo should be ignored.

Current Behavior

It fails with "Unknown error"

Possible Solution

Filter out those weird cookies on apache/nginx?

Steps to Reproduce

1. create a cookie with a space in value. For example using JS: document.cookie = "foo=bar boo; path=/; domain=.univ.fr
2. try to login

[prigaux]

To help users, we added the following on our rev-proxy :

        proxy_set_header Accept-Encoding "";
        subs_filter "^Unknown error$" "Il semble que vous ayez un cookie &eacute;trange mal g&eacute;r&eacute;, veuillez aller sur notre <a href='https://browser-diagnostic.univ-paris1.fr/'>outil de diagnostic</a>." r;

together with the following https://github.com/UnivParis1/browser-diagnostic/commit/50455e3aad6551f6ffa45976cb0cd77be77519cf

[ceko]

We've seen the same error. It's frustrating for large organizations that have hundreds of applications installed because any one of these can leave a landmine cookie that stops users from logging in.

The issue is with Python's SimpleCookie class. Django gets around this by implementing their own parse_cookie method

>>> from http import cookies
>>> cookie = cookies.SimpleCookie("goodcookie=goodcookievalue;")
>>> str(cookie)
'Set-Cookie: goodcookie=goodcookievalue'
>>> cookie = cookies.SimpleCookie("goodcookie=goodcookievalue;landmine=bad cookie value;")
>>> str(cookie)
''

As you can see by the above code, the good cookie is wiped out by the presence of bad cookie data.