parent: cfe26c0d | patch | commit | ignore whitespace
Brian Sutherland
2010-12-17 d7e64797a8809c8321faf4bc08fceb8b56bdb547 
Fix auth_tkt plugin to add "secure" to cookies when it is configured with
secure=True. Before this was not added meaning that cookies could be sent
by the browser over insecure channels.

3 files modified
39 ■■■■ changed files
CHANGES.txt 4 ●●●● patch | view | raw | blame | history
repoze/who/plugins/auth_tkt.py 16 ●●●●● patch | view | raw | blame | history
repoze/who/plugins/tests/test_authtkt.py 19 ●●●●● patch | view | raw | blame | history 
 CHANGES.txt


@@ -12,6 +12,10 @@


- Fix auth_tkt plugin to not hand over tokens as strings to paste. See


  http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html




- Fix auth_tkt plugin to add "secure" to cookies when it is configured with


  secure=True. Before this was not added meaning that cookies could be sent


  by the browser over insecure channels.




- Avoid propagating unicode 'max_age' value into cookie headers.  See


  https://bugs.launchpad.net/bugs/674123 .






 repoze/who/plugins/auth_tkt.py


@@ -170,15 +170,19 @@


        else:


            max_age = ''




        secure = ''


        if self.secure:


            secure = '; secure'




        cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))


        wild_domain = '.' + cur_domain


        cookies = [


            ('Set-Cookie', '%s="%s"; Path=/%s' % (


            self.cookie_name, value, max_age)),


            ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s' % (


            self.cookie_name, value, cur_domain, max_age)),


            ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s' % (


            self.cookie_name, value, wild_domain, max_age))


            ('Set-Cookie', '%s="%s"; Path=/%s%s' % (


            self.cookie_name, value, max_age, secure)),


            ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (


            self.cookie_name, value, cur_domain, max_age, secure)),


            ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (


            self.cookie_name, value, wild_domain, max_age, secure))


            ]


        return cookies






 repoze/who/plugins/tests/test_authtkt.py


@@ -179,6 +179,25 @@


                                           'userdata':'userdata'})


        self.assertEqual(result, None)




    def test_remember_creds_secure(self):


        plugin = self._makeOne('secret', secure=True)


        val = self._makeTicket(userid='userid', secure=True)


        environ = self._makeEnviron()


        result = plugin.remember(environ, {'repoze.who.userid':'userid',


                                           'userdata':'userdata'})


        self.assertEqual(len(result), 3)


        self.assertEqual(result[0],


                         ('Set-Cookie',


                          'auth_tkt="%s"; Path=/; secure' % val))


        self.assertEqual(result[1],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=localhost; secure'


                            % val))


        self.assertEqual(result[2],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=.localhost; secure'


                            % val))




    def test_remember_creds_different(self):


        plugin = self._makeOne('secret')


        old_val = self._makeTicket(userid='userid')