Flask using bytes instead of str during SecureCookieSessionInterface.save_session

[odubno]

Hi everyone,

I'm currently working with the latest versions of Flask, Werkzeug, and itsdangerous on Python 3.11.9 and encountered a TypeError related to string vs bytes where string is required for werkzeug.

Here are the versions I am using:

Flask==3.0.3
Flask-Login==0.6.3
itsdangerous==2.2.0
Werkzeug==3.0.3

Issue:

When calling self.get_signing_serializer(app).dumps(dict(session)) [source: github], it returns a bytes object. Feeding this bytes value into response.set_cookie results in the following TypeError:

TypeError: cannot use a string pattern on a bytes-like object

Details:

• get_signing_serializer returns URLSafeTimedSerializer, which is part of itsdangerous.
  • URLSafeTimedSerializer.dumps() returns bytes.
• werkzeug==3.0.3 seems to expect string values for cookies starting from version 3.0.0.
  If you remove the # type: ignore[union-attr] comment, you should see that types are not handled correctly.

Steps Taken:

Tried various combinations of Flask and itsdangerous versions to work with Werkzeug 3.0.3 but couldn't resolve the bytes issue.
Using Werkzeug 3.0.3 is necessary due to security vulnerabilities in earlier versions.

Full Traceback

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/local/lib/python3.11/site-packages/werkzeug/test.py:1162: in get
    return self.open(*args, **kw)
/usr/local/lib/python3.11/site-packages/flask/testing.py:235: in open
    response = super().open(
/usr/local/lib/python3.11/site-packages/werkzeug/test.py:1116: in open
    response_parts = self.run_wsgi_app(request.environ, buffered=buffered)
/usr/local/lib/python3.11/site-packages/werkzeug/test.py:988: in run_wsgi_app
    rv = run_wsgi_app(self.application, environ, buffered=buffered)
/usr/local/lib/python3.11/site-packages/werkzeug/test.py:1264: in run_wsgi_app
    app_rv = app(environ, start_response)
/usr/local/lib/python3.11/site-packages/sentry_sdk/integrations/flask.py:89: in sentry_patched_wsgi_app
    return SentryWsgiMiddleware(lambda *a, **kw: old_app(self, *a, **kw))(
/usr/local/lib/python3.11/site-packages/sentry_sdk/integrations/wsgi.py:115: in __call__
    reraise(*_capture_exception(hub))
/usr/local/lib/python3.11/site-packages/sentry_sdk/_compat.py:115: in reraise
    raise value
/usr/local/lib/python3.11/site-packages/sentry_sdk/integrations/wsgi.py:108: in __call__
    rv = self.app(
/usr/local/lib/python3.11/site-packages/sentry_sdk/integrations/flask.py:89: in <lambda>
    return SentryWsgiMiddleware(lambda *a, **kw: old_app(self, *a, **kw))(
/usr/local/lib/python3.11/site-packages/flask/app.py:1498: in __call__
    return self.wsgi_app(environ, start_response)
/usr/local/lib/python3.11/site-packages/werkzeug/middleware/proxy_fix.py:183: in __call__
    return self.app(environ, start_response)
/usr/local/lib/python3.11/site-packages/flask/app.py:1476: in wsgi_app
    response = self.handle_exception(e)
/usr/local/lib/python3.11/site-packages/flask/app.py:1473: in wsgi_app
    response = self.full_dispatch_request()
/usr/local/lib/python3.11/site-packages/flask/app.py:883: in full_dispatch_request
    return self.finalize_request(rv)
/usr/local/lib/python3.11/site-packages/flask/app.py:904: in finalize_request
    response = self.process_response(response)
/usr/local/lib/python3.11/site-packages/flask/app.py:1284: in process_response
    self.session_interface.save_session(self, ctx.session, response)
/usr/local/lib/python3.11/site-packages/flask/sessions.py:369: in save_session
    response.set_cookie(
/usr/local/lib/python3.11/site-packages/werkzeug/sansio/response.py:227: in set_cookie
    dump_cookie(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

key = 'session'
value = b'eyJhbGciOiJIUzI1NiIsImlhdCI6MTcyMTc1MTMzNiwiZXhwIjoxNzIyMzU2MTM2fQ.eyJhdXRoIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJN...RjWlJid09CUHpfa1oyREJ1cG9pWHZSMDFpUkFqVHhhM1p1NHdEYTlwS3c2blF6SHpKZDI5dyJ9.0dBgcYkw19mKkF4gAXvutd_z0MzA1eKBtbmh5JOXe5Q'
max_age = None, expires = None, path = '/', domain = None, secure = True, httponly = False, sync_expires = True, max_size = 4093, samesite = None

    def dump_cookie(
        key: str,
        value: str = "",
        max_age: timedelta | int | None = None,
        expires: str | datetime | int | float | None = None,
        path: str | None = "/",
        domain: str | None = None,
        secure: bool = False,
        httponly: bool = False,
        sync_expires: bool = True,
        max_size: int = 4093,
        samesite: str | None = None,
    ) -> str:
        """Create a Set-Cookie header without the ``Set-Cookie`` prefix.

        The return value is usually restricted to ascii as the vast majority
        of values are properly escaped, but that is no guarantee. It's
        tunneled through latin1 as required by :pep:`3333`.

        The return value is not ASCII safe if the key contains unicode
        characters.  This is technically against the specification but
        happens in the wild.  It's strongly recommended to not use
        non-ASCII values for the keys.

        :param max_age: should be a number of seconds, or `None` (default) if
                        the cookie should last only as long as the client's
                        browser session.  Additionally `timedelta` objects
                        are accepted, too.
        :param expires: should be a `datetime` object or unix timestamp.
        :param path: limits the cookie to a given path, per default it will
                     span the whole domain.
        :param domain: Use this if you want to set a cross-domain cookie. For
                       example, ``domain="example.com"`` will set a cookie
                       that is readable by the domain ``www.example.com``,
                       ``foo.example.com`` etc. Otherwise, a cookie will only
                       be readable by the domain that set it.
        :param secure: The cookie will only be available via HTTPS
        :param httponly: disallow JavaScript to access the cookie.  This is an
                         extension to the cookie standard and probably not
                         supported by all browsers.
        :param charset: the encoding for string values.
        :param sync_expires: automatically set expires if max_age is defined
                             but expires not.
        :param max_size: Warn if the final header value exceeds this size. The
            default, 4093, should be safely `supported by most browsers
            <cookie_>`_. Set to 0 to disable this check.
        :param samesite: Limits the scope of the cookie such that it will
            only be attached to requests if those requests are same-site.

        .. _`cookie`: http://browsercookielimits.squawky.net/

        .. versionchanged:: 3.0
            Passing bytes, and the ``charset`` parameter, were removed.

        .. versionchanged:: 2.3.3
            The ``path`` parameter is ``/`` by default.

        .. versionchanged:: 2.3.1
            The value allows more characters without quoting.

        .. versionchanged:: 2.3
            ``localhost`` and other names without a dot are allowed for the domain. A
            leading dot is ignored.

        .. versionchanged:: 2.3
            The ``path`` parameter is ``None`` by default.

        .. versionchanged:: 1.0.0
            The string ``'None'`` is accepted for ``samesite``.
        """
        if path is not None:
            # safe = https://url.spec.whatwg.org/#url-path-segment-string
            # as well as percent for things that are already quoted
            # excluding semicolon since it's part of the header syntax
            path = quote(path, safe="%!$&'()*+,/:=@")

        if domain:
            domain = domain.partition(":")[0].lstrip(".").encode("idna").decode("ascii")

        if isinstance(max_age, timedelta):
            max_age = int(max_age.total_seconds())

        if expires is not None:
            if not isinstance(expires, str):
                expires = http_date(expires)
        elif max_age is not None and sync_expires:
            expires = http_date(datetime.now(tz=timezone.utc).timestamp() + max_age)

        if samesite is not None:
            samesite = samesite.title()

            if samesite not in {"Strict", "Lax", "None"}:
                raise ValueError("SameSite must be 'Strict', 'Lax', or 'None'.")

        # Quote value if it contains characters not allowed by RFC 6265. Slash-escape with
        # three octal digits, which matches http.cookies, although the RFC suggests base64.
>       if not _cookie_no_quote_re.fullmatch(value):
E       TypeError: cannot use a string pattern on a bytes-like object

/usr/local/lib/python3.11/site-packages/werkzeug/http.py:1301: TypeError

[davidism]

I can't reproduce this with the information provided. Making a request that saves session data does not raise the error shown. URLSafeTimedSerializer returns string, not bytes. Be sure to include a minimal reproducible example.

[odubno]

I'll work to reproduce in a test, in the mean time dump_payload of URLSafeTimedSerializer returns bytes [source: github]

[davidism]

That's a different, internal method.