[ http://issues.apache.org/jira/browse/MODPYTHON-191?page=all ]
Work on MODPYTHON-191 started by Graham Dumpleton. > Tampering with signed cookies. > ------------------------------ > > Key: MODPYTHON-191 > URL: http://issues.apache.org/jira/browse/MODPYTHON-191 > Project: mod_python > Issue Type: Bug > Components: core > Affects Versions: 3.2.10 > Reporter: Graham Dumpleton > Assigned To: Graham Dumpleton > Fix For: 3.3 > > > As reported by Andy Pearce in: > > http://mail-archives.apache.org/mod_mbox/httpd-python-dev/200609.mbox/[EMAIL > PROTECTED] > Andy Pearce wrote: > > > > Hi, > > > > I think I might have spotted a slight bug in Session.py. When the > > 'secret' parameter is supplied to use the SignedCookie class, it appears > > that __init__ of BaseSession doesn't check the return type of > > get_cookies(). > > > > If I understand the SignedCookie docs correctly, if the cookie value > > doesn't match its signature, it simply returns the contents as a Cookie > > rather than a SignedCookie (indicating that the user tampered with their > > cookie before sending it back). > > > > However, there is no check in BaseSession's __init__ that the return of > > get_cookies() is a SignedCookie in the case that 'secret' is supplied. > > > > Perhaps a minor point, but it would seem to make the option of using > > SignedCookies rather pointless, since the signature isn't being checked. > > Presumably if the cookie has been tampered with, your only safe option > > is to throw it away and generate a new one. I think this can be achieved > > by changing the lines: > > > > if cookies.has_key(session_cookie_name): > > self._sid = cookies[session_cookie_name].value > > > > To something like: > > > > if cookies.has_key(session_cookie_name): > > if not secret or type(cookes[session_cookie_name]) \ > > is Cookie.SignedCookie: > > self._sid = cookies[session_cookie_name].value > > > > I'm fairly new to mod_python, so if I'm mistaken then my apologies, and > > a quick explanation of why would be very much appreciated! ^_^ > > > > Thanks, > > > > - Andy > > > Is this correct and should the change suggested appropriate? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira