New submission from Raphael Slinckx <r.slin...@whatever-company.com>:
If you look at line 132 in auth_tkt.py: ticket = auth_tkt.AuthTicket([...]) new_cookie_value = ticket.cookie_value() [...] return self._get_cookies(environ, new_cookie_value) The value of the cookie is computed using paste's auth tkt mechanism, but then is passed as-is to _get_cookies, which in turn does the following: ('Set-Cookie', '%s=%s; Path=/' % (self.cookie_name, value)) Now, if the cookie value contains any illegal chars such as 'space', then the cookie will be worthless. It should then be quoted. Paste uses python's Simplecookie to generate the set-cookie header, which handles all the quoting logic so that if the cookie value is 'foo bar' it will use key="foo bar" and if the key is 'foobar' it will use key=foobar. The space issue happens whenever an userid is a user_name with a space char in it since the user name is appended to the digest as is... ---------- messages: 141 nosy: rslinckx priority: bug status: unread title: repoze.who auth_tkt is broken when using string userid containing spaces __________________________________ Repoze Bugs <b...@bugs.repoze.org> <http://bugs.repoze.org/issue60> __________________________________ _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev