From fc9a88b113b48c5230b075ee2b06c023a190cc84 Mon Sep 17 00:00:00 2001 From: Brian Sutherland <brian@vanguardistas.net> Date: Tue, 30 Nov 2010 16:36:52 +0100 Subject: [PATCH] Fix auth_tkt plugin to not hand over tokens as strings to paste. See http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html --- repoze/who/plugins/tests/test_authtkt.py | 33 +++++++++++++++++++++++++++++---- CHANGES.txt | 3 +++ repoze/who/plugins/auth_tkt.py | 9 +++------ 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 00b7880..e13cdfe 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,9 @@ After 2.0a3 (unreleased) ------------------------ +- Fix auth_tkt plugin to not hand over tokens as strings to paste. See + http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html + - Avoid propagating unicode 'max_age' value into cookie headers. See https://bugs.launchpad.net/bugs/674123 . diff --git a/repoze/who/plugins/auth_tkt.py b/repoze/who/plugins/auth_tkt.py index 6322f95..94f7e20 100644 --- a/repoze/who/plugins/auth_tkt.py +++ b/repoze/who/plugins/auth_tkt.py @@ -107,7 +107,7 @@ old_cookie_value = getattr(existing, 'value', None) max_age = identity.get('max_age', None) - timestamp, userid, tokens, userdata = None, '', '', '' + timestamp, userid, tokens, userdata = None, '', (), '' if old_cookie_value: try: @@ -115,9 +115,10 @@ self.secret, old_cookie_value, remote_addr) except auth_tkt.BadTicket: pass + tokens = tuple(tokens) who_userid = identity['repoze.who.userid'] - who_tokens = identity.get('tokens', '') + who_tokens = tuple(identity.get('tokens', ())) who_userdata = identity.get('userdata', '') encoding_data = self.userid_type_encoders.get(type(who_userid)) @@ -126,10 +127,6 @@ who_userid = encoder(who_userid) who_userdata = 'userid_type:%s' % encoding - if not isinstance(tokens, basestring): - tokens = ','.join(tokens) - if not isinstance(who_tokens, basestring): - who_tokens = ','.join(who_tokens) old_data = (userid, tokens, userdata) new_data = (who_userid, who_tokens, who_userdata) diff --git a/repoze/who/plugins/tests/test_authtkt.py b/repoze/who/plugins/tests/test_authtkt.py index 5aa43b2..e6db966 100644 --- a/repoze/who/plugins/tests/test_authtkt.py +++ b/repoze/who/plugins/tests/test_authtkt.py @@ -241,15 +241,15 @@ 'auth_tkt="%s"; Path=/; Domain=.localhost' % new_val)) - def test_remember_creds_different_with_nonstring_tokens(self): + def test_remember_creds_different_with_tokens(self): plugin = self._makeOne('secret') old_val = self._makeTicket(userid='userid') environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val}) - new_val = self._makeTicket(userid='other', + new_val = self._makeTicket(userid='userid', userdata='userdata', - tokens='foo,bar', + tokens=['foo', 'bar'], ) - result = plugin.remember(environ, {'repoze.who.userid': 'other', + result = plugin.remember(environ, {'repoze.who.userid': 'userid', 'userdata': 'userdata', 'tokens': ['foo', 'bar'], }) @@ -266,6 +266,31 @@ 'auth_tkt="%s"; Path=/; Domain=.localhost' % new_val)) + def test_remember_creds_different_with_tuple_tokens(self): + plugin = self._makeOne('secret') + old_val = self._makeTicket(userid='userid') + environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val}) + new_val = self._makeTicket(userid='userid', + userdata='userdata', + tokens=['foo', 'bar'], + ) + result = plugin.remember(environ, {'repoze.who.userid': 'userid', + 'userdata': 'userdata', + 'tokens': ('foo', 'bar'), + }) + self.assertEqual(len(result), 3) + self.assertEqual(result[0], + ('Set-Cookie', + 'auth_tkt="%s"; Path=/' % new_val)) + self.assertEqual(result[1], + ('Set-Cookie', + 'auth_tkt="%s"; Path=/; Domain=localhost' + % new_val)) + self.assertEqual(result[2], + ('Set-Cookie', + 'auth_tkt="%s"; Path=/; Domain=.localhost' + % new_val)) + def test_remember_creds_different_int_userid(self): plugin = self._makeOne('secret') old_val = self._makeTicket(userid='userid') -- Gitblit v1.9.3