New submission from Raphael Slinckx <r.slin...@whatever-company.com>:
If you look at line 132 in auth_tkt.py:
ticket = auth_tkt.AuthTicket([...])
new_cookie_value = ticket.cookie_value()
[...]
return self._get_cookies(environ, new_cookie_value)
The value of the cookie is computed using paste's auth tkt mechanism, but then
is passed as-is to _get_cookies, which in turn does the following:
('Set-Cookie', '%s=%s; Path=/' % (self.cookie_name, value))
Now, if the cookie value contains any illegal chars such as 'space', then the
cookie will be worthless. It should then be quoted.
Paste uses python's Simplecookie to generate the set-cookie header, which
handles all the quoting logic so that if the cookie value is 'foo bar' it will
use key="foo bar" and if the key is 'foobar' it will use key=foobar.
The space issue happens whenever an userid is a user_name with a space char in
it since the user name is appended to the digest as is...
----------
messages: 141
nosy: rslinckx
priority: bug
status: unread
title: repoze.who auth_tkt is broken when using string userid containing spaces
__________________________________
Repoze Bugs <b...@bugs.repoze.org>
<http://bugs.repoze.org/issue60>
__________________________________
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
