parent: 15e3652e | patch | commit | ignore whitespace
Brian Sutherland
2010-11-30 fc9a88b113b48c5230b075ee2b06c023a190cc84 
Fix auth_tkt plugin to not hand over tokens as strings to paste. See
http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html

3 files modified
45 ■■■■ changed files
CHANGES.txt 3 ●●●●● patch | view | raw | blame | history
repoze/who/plugins/auth_tkt.py 9 ●●●●● patch | view | raw | blame | history
repoze/who/plugins/tests/test_authtkt.py 33 ●●●● patch | view | raw | blame | history 
 CHANGES.txt


@@ -4,6 +4,9 @@


After 2.0a3 (unreleased)


------------------------




- Fix auth_tkt plugin to not hand over tokens as strings to paste. See


  http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html




- Avoid propagating unicode 'max_age' value into cookie headers.  See


  https://bugs.launchpad.net/bugs/674123 .






 repoze/who/plugins/auth_tkt.py


@@ -107,7 +107,7 @@


        old_cookie_value = getattr(existing, 'value', None)


        max_age = identity.get('max_age', None)




        timestamp, userid, tokens, userdata = None, '', '', ''


        timestamp, userid, tokens, userdata = None, '', (), ''




        if old_cookie_value:


            try:


@@ -115,9 +115,10 @@


                    self.secret, old_cookie_value, remote_addr)


            except auth_tkt.BadTicket:


                pass


        tokens = tuple(tokens)




        who_userid = identity['repoze.who.userid']


        who_tokens = identity.get('tokens', '')


        who_tokens = tuple(identity.get('tokens', ()))


        who_userdata = identity.get('userdata', '')




        encoding_data = self.userid_type_encoders.get(type(who_userid))


@@ -126,10 +127,6 @@


            who_userid = encoder(who_userid)


            who_userdata = 'userid_type:%s' % encoding


        


        if not isinstance(tokens, basestring):


            tokens = ','.join(tokens)


        if not isinstance(who_tokens, basestring):


            who_tokens = ','.join(who_tokens)


        old_data = (userid, tokens, userdata)


        new_data = (who_userid, who_tokens, who_userdata)






 repoze/who/plugins/tests/test_authtkt.py


@@ -241,15 +241,15 @@


                           'auth_tkt="%s"; Path=/; Domain=.localhost'


                            % new_val))




    def test_remember_creds_different_with_nonstring_tokens(self):


    def test_remember_creds_different_with_tokens(self):


        plugin = self._makeOne('secret')


        old_val = self._makeTicket(userid='userid')


        environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val})


        new_val = self._makeTicket(userid='other',


        new_val = self._makeTicket(userid='userid',


                                   userdata='userdata',


                                   tokens='foo,bar',


                                   tokens=['foo', 'bar'],


                                  )


        result = plugin.remember(environ, {'repoze.who.userid': 'other',


        result = plugin.remember(environ, {'repoze.who.userid': 'userid',


                                           'userdata': 'userdata',


                                           'tokens': ['foo', 'bar'],


                                          })


@@ -266,6 +266,31 @@


                           'auth_tkt="%s"; Path=/; Domain=.localhost'


                            % new_val))




    def test_remember_creds_different_with_tuple_tokens(self):


        plugin = self._makeOne('secret')


        old_val = self._makeTicket(userid='userid')


        environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val})


        new_val = self._makeTicket(userid='userid',


                                   userdata='userdata',


                                   tokens=['foo', 'bar'],


                                  )


        result = plugin.remember(environ, {'repoze.who.userid': 'userid',


                                           'userdata': 'userdata',


                                           'tokens': ('foo', 'bar'),


                                          })


        self.assertEqual(len(result), 3)


        self.assertEqual(result[0],


                         ('Set-Cookie',


                          'auth_tkt="%s"; Path=/' % new_val))


        self.assertEqual(result[1],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=localhost'


                            % new_val))


        self.assertEqual(result[2],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=.localhost'


                            % new_val))




    def test_remember_creds_different_int_userid(self):


        plugin = self._makeOne('secret')


        old_val = self._makeTicket(userid='userid')