Validate tokens to prevent problems.

2 files changed, 19 insertions, 0 deletions

diff --git a/pyramid/authentication.py b/pyramid/authentication.py
index b80429c72..24c8015e0 100644
--- a/pyramid/authentication.py
+++ b/pyramid/authentication.py
@@ -1,6 +1,7 @@
 from codecs import utf_8_decode
 from codecs import utf_8_encode
 import datetime
+import re
 import time
 
 from paste.auth import auth_tkt
@@ -14,6 +15,9 @@ from pyramid.request import add_global_response_headers
 from pyramid.security import Authenticated
 from pyramid.security import Everyone
 
+
+VALID_TOKEN = re.compile(r"^[A-Za-z][A-Za-z0-9+_-]*$")
+
 class CallbackAuthenticationPolicy(object):
     """ Abstract class """
     def authenticated_userid(self, request):
@@ -432,6 +436,10 @@ class AuthTktCookieHelper(object):
             userid = encoder(userid)
             user_data = 'userid_type:%s' % encoding
         
+        for token in tokens:
+            if not (isinstance(token, str) and VALID_TOKEN.match(token)):
+                raise ValueError("Invalid token %r", token)
+
         ticket = self.auth_tkt.AuthTicket(
             self.secret,
             userid,
diff --git a/pyramid/tests/test_authentication.py b/pyramid/tests/test_authentication.py
index 5f30d0d22..136f9de39 100644
--- a/pyramid/tests/test_authentication.py
+++ b/pyramid/tests/test_authentication.py
@@ -584,6 +584,17 @@ class TestAuthTktCookieHelper(unittest.TestCase):
         self.assertEqual(result[2][0], 'Set-Cookie')
         self.failUnless("'tokens': ('foo', 'bar')" in result[2][1])
 
+    def test_remember_non_string_token(self):
+        plugin = self._makeOne('secret')
+        request = self._makeRequest()
+        self.assertRaises(ValueError, plugin.remember, request, 'other', tokens=(u'foo',))
+
+    def test_remember_invalid_token_format(self):
+        plugin = self._makeOne('secret')
+        request = self._makeRequest()
+        self.assertRaises(ValueError, plugin.remember, request, 'other', tokens=('foo bar',))
+        self.assertRaises(ValueError, plugin.remember, request, 'other', tokens=('1bar',))
+
     def test_forget(self):
         plugin = self._makeOne('secret')
         request = self._makeRequest()