diff options
| author | Bert JW Regeer <bertjw@regeer.org> | 2016-07-19 16:35:49 -0600 |
|---|---|---|
| committer | Bert JW Regeer <bertjw@regeer.org> | 2016-07-19 16:35:49 -0600 |
| commit | cf428a83b8ee733f8c67b113bcdef33fdff6eeae (patch) | |
| tree | 2dd66ef9679982c045e72e985c8555f8e0d94adf | |
| parent | 47b7855e0081fcac8b4cc71829b8193181939c2e (diff) | |
| download | pyramid-cf428a83b8ee733f8c67b113bcdef33fdff6eeae.tar.gz pyramid-cf428a83b8ee733f8c67b113bcdef33fdff6eeae.tar.bz2 pyramid-cf428a83b8ee733f8c67b113bcdef33fdff6eeae.zip | |
Fix AuthTktCookieHelper so that it doesn't create bad cookies
The AuthTktCookieHelper when provided a type it didn't knoww what to do
with would simply pass it through unchanged, this would lead to things
like object() being serialised by just having str() called on it, which
may included spaces and other characters that are not allowed in cookie
values.
WebOb would send a RuntimeWarning:
RuntimeWarning: Cookie value contains invalid bytes: (b' '). Future
versions will raise ValueError upon encountering invalid bytes.
This fix warns the user of the library directly, and makes sure to
call str() on the provided userid, AND then encode it as base64. The
user won't get back the original object after decoding on a
request/response round-trip, but at least no cookies are being generated
that are invalid.
| -rw-r--r-- | pyramid/authentication.py | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/pyramid/authentication.py b/pyramid/authentication.py index e6b888db2..8d0adfa3d 100644 --- a/pyramid/authentication.py +++ b/pyramid/authentication.py @@ -5,6 +5,7 @@ import hashlib import base64 import re import time as time_mod +import warnings from zope.interface import implementer @@ -947,8 +948,19 @@ class AuthTktCookieHelper(object): if encoding_data: encoding, encoder = encoding_data - userid = encoder(userid) - user_data = 'userid_type:%s' % encoding + else: + warnings.warn( + "userid is of type {}, and is not supported by the " + "AuthTktAuthenticationPolicy. Explicitly converting to string " + "and storing as base64. Subsequent requests will receive a " + "string as the userid, it will not be decoded back to the type " + "provided.".format(type(userid)), RuntimeWarning + ) + encoding, encoder = self.userid_type_encoders.get(text_type) + userid = str(userid) + + userid = encoder(userid) + user_data = 'userid_type:%s' % encoding new_tokens = [] for token in tokens: |