diff options
| author | Michael Merickel <michael@merickel.org> | 2014-02-21 22:33:33 -0600 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2014-02-21 22:33:33 -0600 |
| commit | cf026e2cd8704a679dd83760907d8847deabb18e (patch) | |
| tree | 70b252c3939a7809bf8b3b20d99f656179f3fbe8 | |
| parent | b2c23953cc5142238879e0075c065f31a268a770 (diff) | |
| download | pyramid-cf026e2cd8704a679dd83760907d8847deabb18e.tar.gz pyramid-cf026e2cd8704a679dd83760907d8847deabb18e.tar.bz2 pyramid-cf026e2cd8704a679dd83760907d8847deabb18e.zip | |
fix regression with code expecting secrets to be encoded with latin-1
| -rw-r--r-- | pyramid/session.py | 16 | ||||
| -rw-r--r-- | pyramid/tests/test_session.py | 17 |
2 files changed, 27 insertions, 6 deletions
diff --git a/pyramid/session.py b/pyramid/session.py index d1964c43e..4dc7bda74 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -57,7 +57,12 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest() + try: + # bw-compat with pyramid <= 1.5b1 where latin1 is the default + secret = bytes_(secret) + except UnicodeEncodeError: + secret = bytes_(secret, 'utf-8') + sig = hmac.new(secret, pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -81,9 +86,12 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new( - bytes_(secret, 'utf-8'), pickled, hashlib.sha1, - ).hexdigest()) + try: + # bw-compat with pyramid <= 1.5b1 where latin1 is the default + secret = bytes_(secret) + except UnicodeEncodeError: + secret = bytes_(secret, 'utf-8') + sig = bytes_(hmac.new(secret, pickled, hashlib.sha1).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 6bce764ca..f1b1e2296 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -533,10 +533,16 @@ class Test_signed_serialize(unittest.TestCase): self.assertEqual(result, expected) def test_it_with_highorder_secret(self): - secret = b'La Pe\xc3\xb1a'.decode('utf-8') + secret = b'\xce\xb1\xce\xb2\xce\xb3\xce\xb4'.decode('utf-8') expected = serialize('123', secret) result = self._callFUT('123', secret) self.assertEqual(result, expected) + + def test_it_with_latin1_secret(self): + secret = b'La Pe\xc3\xb1a' + expected = serialize('123', secret) + result = self._callFUT('123', secret.decode('latin-1')) + self.assertEqual(result, expected) class Test_signed_deserialize(unittest.TestCase): def _callFUT(self, serialized, secret, hmac=None): @@ -569,11 +575,18 @@ class Test_signed_deserialize(unittest.TestCase): self.assertRaises(ValueError, self._callFUT, serialized, 'secret') def test_it_with_highorder_secret(self): - secret = b'La Pe\xc3\xb1a'.decode('utf-8') + secret = b'\xce\xb1\xce\xb2\xce\xb3\xce\xb4'.decode('utf-8') serialized = serialize('123', secret) result = self._callFUT(serialized, secret) self.assertEqual(result, '123') + # bwcompat with pyramid <= 1.5b1 where latin1 is the default + def test_it_with_latin1_secret(self): + secret = b'La Pe\xc3\xb1a' + serialized = serialize('123', secret) + result = self._callFUT(serialized, secret.decode('latin-1')) + self.assertEqual(result, '123') + class Test_check_csrf_token(unittest.TestCase): def _callFUT(self, *args, **kwargs): from ..session import check_csrf_token |