diff options
| -rw-r--r-- | docs/designdefense.rst | 12 | ||||
| -rw-r--r-- | pyramid/session.py | 3 | ||||
| -rw-r--r-- | pyramid/testing.py | 3 | ||||
| -rw-r--r-- | pyramid/tests/test_session.py | 7 |
4 files changed, 17 insertions, 8 deletions
diff --git a/docs/designdefense.rst b/docs/designdefense.rst index f757a8e70..b7aca07ea 100644 --- a/docs/designdefense.rst +++ b/docs/designdefense.rst @@ -840,17 +840,16 @@ application deployment modifications instead, as if you were deploying an application written using any other web framework. -Zope 3 Enforces "TTW" Authorization Checks By Default; Pyramid Does Not +Zope 3 Enforces "TTW" Authorization Checks by Default; Pyramid Does Not ----------------------------------------------------------------------- Challenge +++++++++ :app:`Pyramid` performs automatic authorization checks only at :term:`view` -execution time. Zope 3 wraps context objects with a `security proxy -<http://wiki.zope.org/zope3/WhatAreSecurityProxies>`_, which causes Zope 3 to -do also security checks during attribute access. I like this, because it -means: +execution time. Zope 3 wraps context objects with a `security proxy +<http://wiki.zope.org/zope3/WhatAreSecurityProxies>`_, which causes Zope 3 also +to do security checks during attribute access. I like this, because it means: #) When I use the security proxy machinery, I can have a view that conditionally displays certain HTML elements (like form fields) or @@ -882,7 +881,7 @@ web framework. And since we tend to use the same toolkit for all web applications, it's just never been a concern to be able to use the same set of restricted-execution -code under two web different frameworks. +code under two different web frameworks. Justifications for disabling security proxies by default notwithstanding, given that Zope 3 security proxies are viral by nature, the only requirement @@ -895,6 +894,7 @@ Zope3-security-proxy-wrapped objects for each traversed object (including the :term:`context` and the :term:`root`). This would have the effect of creating a more Zope3-like environment without much effort. + .. _http_exception_hierarchy: Pyramid uses its own HTTP exception class hierarchy rather than :mod:`webob.exc` diff --git a/pyramid/session.py b/pyramid/session.py index b3be68705..a4cdf910d 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -126,7 +126,8 @@ def check_csrf_token(request, .. versionadded:: 1.4a2 """ supplied_token = request.params.get(token, request.headers.get(header, "")) - if strings_differ(request.session.get_csrf_token(), supplied_token): + expected_token = request.session.get_csrf_token() + if strings_differ(bytes_(expected_token), bytes_(supplied_token)): if raises: raise BadCSRFToken('check_csrf_token(): Invalid token') return False diff --git a/pyramid/testing.py b/pyramid/testing.py index 58dcb0b59..14432b01f 100644 --- a/pyramid/testing.py +++ b/pyramid/testing.py @@ -16,6 +16,7 @@ from pyramid.compat import ( PY3, PYPY, class_types, + text_, ) from pyramid.config import Configurator @@ -274,7 +275,7 @@ class DummySession(dict): return storage def new_csrf_token(self): - token = '0123456789012345678901234567890123456789' + token = text_('0123456789012345678901234567890123456789') self['_csrft_'] = token return token diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 82e4fb001..914d28a83 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -695,6 +695,13 @@ class Test_check_csrf_token(unittest.TestCase): result = self._callFUT(request, 'csrf_token', raises=False) self.assertEqual(result, False) + def test_token_differing_types(self): + from pyramid.compat import text_ + request = testing.DummyRequest() + request.session['_csrft_'] = text_('foo') + request.params['csrf_token'] = b'foo' + self.assertEqual(self._callFUT(request, token='csrf_token'), True) + class DummySerializer(object): def dumps(self, value): return base64.b64encode(json.dumps(value).encode('utf-8')) |