diff options
| author | Bert JW Regeer <xistence@0x58.com> | 2016-01-27 23:32:11 -0700 |
|---|---|---|
| committer | Bert JW Regeer <xistence@0x58.com> | 2016-01-27 23:32:11 -0700 |
| commit | fe1135e05aca83cd260be391546827ef55acf0d2 (patch) | |
| tree | 99c9d8c773f98528fd204bbf9fbc1d884e22d091 | |
| parent | 8977d8836ec8854c351482fac2886fe6968f85cd (diff) | |
| parent | f16a1bc04b8b42324ccb6c6d01e887633e5448dd (diff) | |
| download | pyramid-fe1135e05aca83cd260be391546827ef55acf0d2.tar.gz pyramid-fe1135e05aca83cd260be391546827ef55acf0d2.tar.bz2 pyramid-fe1135e05aca83cd260be391546827ef55acf0d2.zip | |
Merge pull request #2298 from mmerickel/fix/2294
ensure csrf tokens are compared as bytes
| -rw-r--r-- | pyramid/session.py | 3 | ||||
| -rw-r--r-- | pyramid/testing.py | 3 | ||||
| -rw-r--r-- | pyramid/tests/test_session.py | 7 |
3 files changed, 11 insertions, 2 deletions
diff --git a/pyramid/session.py b/pyramid/session.py index b3be68705..a4cdf910d 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -126,7 +126,8 @@ def check_csrf_token(request, .. versionadded:: 1.4a2 """ supplied_token = request.params.get(token, request.headers.get(header, "")) - if strings_differ(request.session.get_csrf_token(), supplied_token): + expected_token = request.session.get_csrf_token() + if strings_differ(bytes_(expected_token), bytes_(supplied_token)): if raises: raise BadCSRFToken('check_csrf_token(): Invalid token') return False diff --git a/pyramid/testing.py b/pyramid/testing.py index 58dcb0b59..14432b01f 100644 --- a/pyramid/testing.py +++ b/pyramid/testing.py @@ -16,6 +16,7 @@ from pyramid.compat import ( PY3, PYPY, class_types, + text_, ) from pyramid.config import Configurator @@ -274,7 +275,7 @@ class DummySession(dict): return storage def new_csrf_token(self): - token = '0123456789012345678901234567890123456789' + token = text_('0123456789012345678901234567890123456789') self['_csrft_'] = token return token diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 82e4fb001..914d28a83 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -695,6 +695,13 @@ class Test_check_csrf_token(unittest.TestCase): result = self._callFUT(request, 'csrf_token', raises=False) self.assertEqual(result, False) + def test_token_differing_types(self): + from pyramid.compat import text_ + request = testing.DummyRequest() + request.session['_csrft_'] = text_('foo') + request.params['csrf_token'] = b'foo' + self.assertEqual(self._callFUT(request, token='csrf_token'), True) + class DummySerializer(object): def dumps(self, value): return base64.b64encode(json.dumps(value).encode('utf-8')) |