{
  "Selected_candidate": {
    "pr_number": 13800,
    "pr_title": "Fixed #32191 -- Made CookieStorage use RFC 6265 compliant format.",
    "pr_body": "Continues work by Florian Apolloner in this [PR](https://github.com/django/django/pull/13793).\r\nThe aim is to make messages, when stored in cookies, compliant with RFC6265 which defines allowed characters for cookies. It does this by base64 encoding them, and then to reduce their size, it compresses them using zlib.\r\nThis fix is achieved by introducing `sign_object` and `unsign_object` into the base signer class.",
    "issue_id": 32191,
    "issue_title": "Not RFC 6265 compliant cookies in contrib.messages.",
    "issue_body": "Hi\nA Customer of mine is using a WAF which is handling Cookies as it is described tin the RFC:\n​\nhttps://tools.ietf.org/html/rfc6265\nThe issue now is that Django is trying to use an escape-character in cookie-Values which is not supported in the RFC\nan example of such a cookie:\nmessages=\\\"123\\\\\\\"NOTRECEIVED\\\"\"\nPlease consider to get this fixed so there can be a protection of this system.\nRegards,\nNico",
    "issue_closed_at": "2021-01-07T06:20:56",
    "base_commit": "3eb98743dcaa0b7abd2d5832cba8cc9cb586a964",
    "changes": [
      {
        "file": "django/contrib/messages/storage/cookie.py",
        "type": "class",
        "name": "MessageEncoder",
        "code": "class MessageEncoder(json.JSONEncoder):\n    \"\"\"\n    Compactly serialize instances of the ``Message`` class as JSON.\n    \"\"\"\n    message_key = '__json_message'\n\n    def __init__(self, *args, **kwargs):\n        kwargs.setdefault('separators', (',', ':'))\n        super().__init__(*args, **kwargs)\n\n    def default(self, obj):\n        if isinstance(obj, Message):\n            # Using 0/1 here instead of False/True to produce more compact json\n            is_safedata = 1 if isinstance(obj.message, SafeData) else 0\n            message = [self.message_key, is_safedata, obj.level, obj.message]\n            if obj.extra_tags:\n                message.append(obj.extra_tags)\n            return message\n        return super().default(obj)"
      },
      {
        "file": "django/contrib/messages/storage/cookie.py",
        "type": "function",
        "name": "decode",
        "class_name": "MessageDecoder",
        "code": "def decode(self, s, **kwargs):\n        decoded = super().decode(s, **kwargs)\n        return self.process_messages(decoded)"
      },
      {
        "file": "django/contrib/messages/storage/cookie.py",
        "type": "function",
        "name": "_encode",
        "class_name": "CookieStorage",
        "code": "def _encode(self, messages, encode_empty=False):\n        \"\"\"\n        Return an encoded version of the messages list which can be stored as\n        plain text.\n\n        Since the data will be retrieved from the client-side, the encoded data\n        also contains a hash to ensure that the data was not tampered with.\n        \"\"\"\n        if messages or encode_empty:\n            encoder = MessageEncoder()\n            value = encoder.encode(messages)\n            return self.signer.sign(value)"
      },
      {
        "file": "django/contrib/messages/storage/cookie.py",
        "type": "function",
        "name": "_decode",
        "class_name": "CookieStorage",
        "code": "def _decode(self, data):\n        \"\"\"\n        Safely decode an encoded text stream back into a list of messages.\n\n        If the encoded text stream contained an invalid hash or was in an\n        invalid format, return None.\n        \"\"\"\n        if not data:\n            return None\n        try:\n            decoded = self.signer.unsign(data)\n        except signing.BadSignature:\n            # RemovedInDjango40Warning: when the deprecation ends, replace\n            # with:\n            #   decoded = None.\n            decoded = self._legacy_decode(data)\n        if decoded:\n            try:\n                return json.loads(decoded, cls=MessageDecoder)\n            except json.JSONDecodeError:\n                pass\n        # Mark the data as used (so it gets removed) since something was wrong\n        # with the data.\n        self.used = True\n        return None"
      }
    ]
  },
  "Justification": "Candidate D is the most helpful because it is closely related to the Django messages framework, just as the CURRENT bug report is. Both involve issues with message handling, and specifically, Candidate D addresses problems with cookie storage for messages, which could provide insights into serialization and deserialization processes relevant to the CURRENT bug. The structural and component similarities between handling cookies and extra tags in messages make Candidate D particularly relevant in debugging potential issues stemming from message serialization complexities, thus aiding the resolution of the CURRENT bug.",
  "instance_id": "django__django-15347",
  "repo": "django/django",
  "created_at": "2022-01-22T01:56:48Z",
  "problem_statement": "Messages framework incorrectly serializes/deserializes extra_tags when it's an empty string\nDescription\n\t\nWhen a message is serialised and then deserialised with any of the built in storage backends, then extra_tags==\"\" is converted to extra_tags==None. This is because MessageEncoder checks for the truthyness of extra_tags rather than checking it is not None.\nTo replicate this bug\n>>> from django.conf import settings\n>>> settings.configure() # Just to allow the following import\n>>> from django.contrib.messages.storage.base import Message\n>>> from django.contrib.messages.storage.cookie import MessageEncoder, MessageDecoder\n>>> original_message = Message(10, \"Here is a message\", extra_tags=\"\")\n>>> encoded_message = MessageEncoder().encode(original_message)\n>>> decoded_message = MessageDecoder().decode(encoded_message)\n>>> original_message.extra_tags == \"\"\nTrue\n>>> decoded_message.extra_tags is None\nTrue\nEffect of the bug in application behaviour\nThis error occurred in the wild with a template tag similar to the following:\n{% if x not in message.extra_tags %}\nWhen the message was displayed as part of a redirect, it had been serialised and deserialized which meant that extra_tags was None instead of the empty string. This caused an error.\nIt's important to note that this bug affects all of the standard API (messages.debug, messages.info etc. all have a default value of extra_tags equal to \"\").\n",
  "patch": "diff --git a/django/contrib/messages/storage/cookie.py b/django/contrib/messages/storage/cookie.py\n--- a/django/contrib/messages/storage/cookie.py\n+++ b/django/contrib/messages/storage/cookie.py\n@@ -19,7 +19,7 @@ def default(self, obj):\n             # Using 0/1 here instead of False/True to produce more compact json\n             is_safedata = 1 if isinstance(obj.message, SafeData) else 0\n             message = [self.message_key, is_safedata, obj.level, obj.message]\n-            if obj.extra_tags:\n+            if obj.extra_tags is not None:\n                 message.append(obj.extra_tags)\n             return message\n         return super().default(obj)\n"
}