Hi Maurits,

On 2010-8-12 16:43, Maurits van Rees wrote:
> Log message for revision 115650:
>    Fixed possible TypeError in extractCredentials of CookieAuthHelper when 
> the __ac cookie is not ours (but e.g. from plone.session, though even then 
> only in a corner case).
>
> Changed:
>    U   
> Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
>    U   
> Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py
>
> -=-
> Modified: 
> Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
> ===================================================================
> --- 
> Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
>       2010-08-12 09:03:42 UTC (rev 115649)
> +++ 
> Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
>       2010-08-12 14:43:10 UTC (rev 115650)
> @@ -125,8 +125,12 @@
>                   # Cookie is in a different format, so it is not ours
>                   return creds
>
> -            creds['login'] = login.decode('hex')
> -            creds['password'] = password.decode('hex')
> +            try:
> +                creds['login'] = login.decode('hex')
> +                creds['password'] = password.decode('hex')
> +            except TypeError:
> +                # Cookie is in a different format, so it is not ours
> +                return creds

That looks incorrect: if the password.decode fails you are now returning 
a half credential set with only login set, instead of an empty set.

Wichert.

-- 
Wichert Akkerman <wich...@wiggy.net>   It is simple to make things.
http://www.wiggy.net/                  It is hard to make things simple.
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
https://mail.zope.org/mailman/listinfo/zope-pas

Reply via email to