support high-order characters in UnencryptedCookieSessionFactoryConfig secrets

author: Michael Merickel <michael@merickel.org> 2014-02-21 21:52:14 -0600
committer: Michael Merickel <michael@merickel.org> 2014-02-21 21:52:14 -0600
commit: adcacf48dbf6eb84a1c1661918f3fb093a929bc2 (patch)
tree: 438052c52587fbd0f99612a5ecc3514cb6364914
parent: 69b613db258d71caa925f0165030b9974a1610ca (diff)
download: pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.tar.gz
pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.tar.bz2
pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.zip
2 files changed, 7 insertions, 2 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 84d0694e3..6372c904d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,9 @@ Unreleased
 - Avoid crash in ``pserve --reload`` under Py3k, when iterating over posiibly
   mutated ``sys.modules``.
 
+- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained
+  higher order characters. See https://github.com/Pylons/pyramid/issues/1246
+
 1.5b1 (2014-02-08)
 ==================
 
diff --git a/pyramid/session.py b/pyramid/session.py
index 3a045b91b..d1964c43e 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -57,7 +57,7 @@ def signed_serialize(data, secret):
        response.set_cookie('signed_cookie', cookieval)
     """
     pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL)
-    sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()
+    sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest()
     return sig + native_(base64.b64encode(pickled))
 
 def signed_deserialize(serialized, secret, hmac=hmac):
@@ -81,7 +81,9 @@ def signed_deserialize(serialized, secret, hmac=hmac):
         # Badly formed data can make base64 die
         raise ValueError('Badly formed base64 data: %s' % e)
 
-    sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest())
+    sig = bytes_(hmac.new(
+        bytes_(secret, 'utf-8'), pickled, hashlib.sha1,
+    ).hexdigest())
 
     # Avoid timing attacks (see
     # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
author	Michael Merickel <michael@merickel.org>	2014-02-21 21:52:14 -0600
committer	Michael Merickel <michael@merickel.org>	2014-02-21 21:52:14 -0600
commit	adcacf48dbf6eb84a1c1661918f3fb093a929bc2 (patch)
tree	438052c52587fbd0f99612a5ecc3514cb6364914
parent	69b613db258d71caa925f0165030b9974a1610ca (diff)
download	pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.tar.gz pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.tar.bz2 pyramid-adcacf48dbf6eb84a1c1661918f3fb093a929bc2.zip