From fc9a88b113b48c5230b075ee2b06c023a190cc84 Mon Sep 17 00:00:00 2001
From: Brian Sutherland <brian@vanguardistas.net>
Date: Tue, 30 Nov 2010 16:36:52 +0100
Subject: [PATCH] Fix auth_tkt plugin to not hand over tokens as strings to paste. See http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
---
repoze/who/plugins/tests/test_authtkt.py | 33 +++++++++++++++++++++++++++++----
CHANGES.txt | 3 +++
repoze/who/plugins/auth_tkt.py | 9 +++------
3 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 00b7880..e13cdfe 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,9 @@
After 2.0a3 (unreleased)
------------------------
+- Fix auth_tkt plugin to not hand over tokens as strings to paste. See
+ http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
+
- Avoid propagating unicode 'max_age' value into cookie headers. See
https://bugs.launchpad.net/bugs/674123 .
diff --git a/repoze/who/plugins/auth_tkt.py b/repoze/who/plugins/auth_tkt.py
index 6322f95..94f7e20 100644
--- a/repoze/who/plugins/auth_tkt.py
+++ b/repoze/who/plugins/auth_tkt.py
@@ -107,7 +107,7 @@
old_cookie_value = getattr(existing, 'value', None)
max_age = identity.get('max_age', None)
- timestamp, userid, tokens, userdata = None, '', '', ''
+ timestamp, userid, tokens, userdata = None, '', (), ''
if old_cookie_value:
try:
@@ -115,9 +115,10 @@
self.secret, old_cookie_value, remote_addr)
except auth_tkt.BadTicket:
pass
+ tokens = tuple(tokens)
who_userid = identity['repoze.who.userid']
- who_tokens = identity.get('tokens', '')
+ who_tokens = tuple(identity.get('tokens', ()))
who_userdata = identity.get('userdata', '')
encoding_data = self.userid_type_encoders.get(type(who_userid))
@@ -126,10 +127,6 @@
who_userid = encoder(who_userid)
who_userdata = 'userid_type:%s' % encoding
- if not isinstance(tokens, basestring):
- tokens = ','.join(tokens)
- if not isinstance(who_tokens, basestring):
- who_tokens = ','.join(who_tokens)
old_data = (userid, tokens, userdata)
new_data = (who_userid, who_tokens, who_userdata)
diff --git a/repoze/who/plugins/tests/test_authtkt.py b/repoze/who/plugins/tests/test_authtkt.py
index 5aa43b2..e6db966 100644
--- a/repoze/who/plugins/tests/test_authtkt.py
+++ b/repoze/who/plugins/tests/test_authtkt.py
@@ -241,15 +241,15 @@
'auth_tkt="%s"; Path=/; Domain=.localhost'
% new_val))
- def test_remember_creds_different_with_nonstring_tokens(self):
+ def test_remember_creds_different_with_tokens(self):
plugin = self._makeOne('secret')
old_val = self._makeTicket(userid='userid')
environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val})
- new_val = self._makeTicket(userid='other',
+ new_val = self._makeTicket(userid='userid',
userdata='userdata',
- tokens='foo,bar',
+ tokens=['foo', 'bar'],
)
- result = plugin.remember(environ, {'repoze.who.userid': 'other',
+ result = plugin.remember(environ, {'repoze.who.userid': 'userid',
'userdata': 'userdata',
'tokens': ['foo', 'bar'],
})
@@ -266,6 +266,31 @@
'auth_tkt="%s"; Path=/; Domain=.localhost'
% new_val))
+ def test_remember_creds_different_with_tuple_tokens(self):
+ plugin = self._makeOne('secret')
+ old_val = self._makeTicket(userid='userid')
+ environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % old_val})
+ new_val = self._makeTicket(userid='userid',
+ userdata='userdata',
+ tokens=['foo', 'bar'],
+ )
+ result = plugin.remember(environ, {'repoze.who.userid': 'userid',
+ 'userdata': 'userdata',
+ 'tokens': ('foo', 'bar'),
+ })
+ self.assertEqual(len(result), 3)
+ self.assertEqual(result[0],
+ ('Set-Cookie',
+ 'auth_tkt="%s"; Path=/' % new_val))
+ self.assertEqual(result[1],
+ ('Set-Cookie',
+ 'auth_tkt="%s"; Path=/; Domain=localhost'
+ % new_val))
+ self.assertEqual(result[2],
+ ('Set-Cookie',
+ 'auth_tkt="%s"; Path=/; Domain=.localhost'
+ % new_val))
+
def test_remember_creds_different_int_userid(self):
plugin = self._makeOne('secret')
old_val = self._makeTicket(userid='userid')
--
Gitblit v1.9.3