Hi guys!
How are you doing?
I am Martin from Argentina, I have used webpy for few projects and really
like it for his simplicity and decoupled architecture.
Few days ago, I was playing with the code and I saw one code comment which
alerted me, specifically in the "setcookie" function inside
webpy/web/webapi.py. I think that webpy has a security flaw because the
"setcookie" function doesn't allow us to set the cookie's "path" attribute.
and that is a security flaw because an attacker could kidnap the cookies of
whole the site since webpy is not limiting the cookies with some "path".
Also I think that "setcookie" function should allow us to set the cookie's
"max-age" attributes which hold the cookie's lifetime.
I have made security tests around this flaw and is possible that an attacker
kidnap cookies because the cookies are sent in every response from the
server(to any resouce).
Because of that, I coded a patch for the file webpy/web/webapi.py , The
patch allow to the "setcookie" function to handle the attributes "path",
"max-age" of cookies
according to the RFC2965 (http://www.faqs.org/rfcs/rfc2965.html).
To apply the patch you should do:
cd webpy/web/
patch webapi.py webapi.py.path
I would know your feedback about this topic and please feel free to ask.
Cheers,
--
Alderete, Martin Nicolas
Senior Python Developer
--
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/webpy?hl=en.
--- webapi.py 2010-10-11 17:03:40.000000000 -0300
+++ webapi_new.py 2010-10-15 20:01:58.000000000 -0300
@@ -30,6 +30,7 @@
import sys, cgi, Cookie, pprint, urlparse, urllib
from utils import storage, storify, threadeddict, dictadd, intget, utf8
+import time
config = storage()
config.__doc__ = """
@@ -287,16 +288,33 @@
ctx.data = ctx.env['wsgi.input'].read(cl)
return ctx.data
-def setcookie(name, value, expires="", domain=None, secure=False):
+def create_cookie_date(epoch=None):
+ """
+ Formats the time to ensure compatibility with Netscape's cookie standard.
+ It is calculated using the rules in the HTTP/1.1 specification [RFC2616]
+ The localtime will be used to format the date.
+
+ Outputs a string in the format 'Wdy, DD-Mon-YYYY HH:MM:SS GMT'
+ """
+
+ rfc_date = formatdate(epoch, True)
+ return "%s-%s-%s GMT" % (rfc_date[:7], rfc_date[8:11], rfc_date[12:25])
+
+def setcookie(name, value, expires="", domain=None, path='/', max_age=None, secure=False):
"""Sets a cookie."""
if expires < 0:
- expires = -1000000000
- kargs = {'expires': expires, 'path':'/'}
- if domain:
+ expires = -1000000000
+ kargs = {'expires': expires, 'path': path}
+ if domain:
kargs['domain'] = domain
if secure:
kargs['secure'] = secure
- # @@ should we limit cookies to a different path?
+ if max_age is not None:
+ kargs['max_age'] = max_age
+ # IE require expires instead of max-age, so set it if it wasn't setted yet!
+ if not expires:
+ kargs['expires'] = create_cookie_date(time.time()+max_age)
+
cookie = Cookie.SimpleCookie()
cookie[name] = urllib.quote(utf8(value))
for key, val in kargs.iteritems():
