subject:"\\\[Repoze\\\-dev\\\] \\\[issue60\\\] repoze.who auth_tkt is broken when using string userid containing spaces"

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

2009-04-14 Thread Raphael Slinckx


Raphael Slinckx r.slin...@whatever-company.com added the comment:

It doesn't matter if it's a binary string or not, the point is to escape it
properly to be stored in a cookie.

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue60
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

2009-04-10 Thread Michael Pedersen


Michael Pedersen rep...@icelus.org added the comment:

Attaching a patch that was made by mcdonc. I just updated the test cases. This
patch should clear up the issue with the spaces pretty well entirely. I know it
did for my  use, anyway.

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue60
__Index: repoze/who/plugins/auth_tkt.py
===
--- repoze/who/plugins/auth_tkt.py  (revision 4111)
+++ repoze/who/plugins/auth_tkt.py  (working copy)
@@ -75,11 +75,11 @@
 cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
 wild_domain = '.' + cur_domain
 cookies = [
-('Set-Cookie', '%s=%s; Path=/' % (
+('Set-Cookie', '%s=%s; Path=/' % (
 self.cookie_name, value)),
-('Set-Cookie', '%s=%s; Path=/; Domain=%s' % (
+('Set-Cookie', '%s=%s; Path=/; Domain=%s' % (
 self.cookie_name, value, cur_domain)),
-('Set-Cookie', '%s=%s; Path=/; Domain=%s' % (
+('Set-Cookie', '%s=%s; Path=/; Domain=%s' % (
 self.cookie_name, value, wild_domain))
 ]
 return cookies
Index: repoze/who/tests.py
===
--- repoze/who/tests.py (revision 4111)
+++ repoze/who/tests.py (working copy)
@@ -1627,13 +1627,13 @@
 self.assertEqual(len(result), 3)
 self.assertEqual(result[0],
  ('Set-Cookie',
-  'auth_tkt=%s; Path=/' % new_val))
+  'auth_tkt=%s; Path=/' % new_val))
 self.assertEqual(result[1],
  ('Set-Cookie',
-   'auth_tkt=%s; Path=/; Domain=localhost' % new_val))
+   'auth_tkt=%s; Path=/; Domain=localhost' % 
new_val))
 self.assertEqual(result[2],
  ('Set-Cookie',
-   'auth_tkt=%s; Path=/; Domain=.localhost' % new_val))
+   'auth_tkt=%s; Path=/; Domain=.localhost' % 
new_val))
 
 def test_remember_creds_different_int_userid(self):
 plugin = self._makeOne('secret')
@@ -1646,7 +1646,7 @@
 self.assertEqual(len(result), 3)
 self.assertEqual(result[0],
  ('Set-Cookie',
-  'auth_tkt=%s; Path=/' % new_val))
+  'auth_tkt=%s; Path=/' % new_val))
 
 def test_remember_creds_different_long_userid(self):
 plugin = self._makeOne('secret')
@@ -1658,7 +1658,7 @@
 self.assertEqual(len(result), 3)
 self.assertEqual(result[0],
  ('Set-Cookie',
-  'auth_tkt=%s; Path=/' % new_val))
+  'auth_tkt=%s; Path=/' % new_val))
 
 def test_remember_creds_different_unicode_userid(self):
 plugin = self._makeOne('secret')
@@ -1673,7 +1673,7 @@
 self.assertEqual(len(result), 3)
 self.assertEqual(result[0],
  ('Set-Cookie',
-  'auth_tkt=%s; Path=/' % new_val))
+  'auth_tkt=%s; Path=/' % new_val))
 
 def test_forget(self):
 plugin = self._makeOne('secret')
@@ -1683,7 +1683,7 @@
 header = headers[0]
 name, value = header
 self.assertEqual(name, 'Set-Cookie')
-self.assertEqual(value, 'auth_tkt=; Path=/')
+self.assertEqual(value, 'auth_tkt=; Path=/')
 header = headers[1]
 name, value = header
 self.assertEqual(name, 'Set-Cookie')
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

2009-02-13 Thread Raphael Slinckx


New submission from Raphael Slinckx r.slin...@whatever-company.com:

If you look at line 132 in auth_tkt.py:

ticket = auth_tkt.AuthTicket([...])
new_cookie_value = ticket.cookie_value()
[...]
return self._get_cookies(environ, new_cookie_value)

The value of the cookie is computed using paste's auth tkt mechanism, but then
is passed as-is to _get_cookies, which in turn does the following:

('Set-Cookie', '%s=%s; Path=/' % (self.cookie_name, value))

Now, if the cookie value contains any illegal chars such as 'space', then the
cookie will be worthless. It should then be quoted. 

Paste uses python's Simplecookie to generate the set-cookie header, which
handles all the quoting logic so that if the cookie value is 'foo bar' it will
use key=foo bar and if the key is 'foobar' it will use key=foobar.

The space issue happens whenever an userid is a user_name with a space char in
it since the user name is appended to the digest as is...

--
messages: 141
nosy: rslinckx
priority: bug
status: unread
title: repoze.who auth_tkt is broken when using string userid containing spaces

__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue60
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

[Repoze-dev] [issue60] repoze.who auth_tkt is broken when using string userid containing spaces

3 matches

Site Navigation

Mail list logo

Footer information