From cf428a83b8ee733f8c67b113bcdef33fdff6eeae Mon Sep 17 00:00:00 2001
From: Bert JW Regeer <bertjw@regeer.org>
Date: Tue, 19 Jul 2016 16:35:49 -0600
Subject: Fix AuthTktCookieHelper so that it doesn't create bad cookies

The AuthTktCookieHelper when provided a type it didn't knoww what to do
with would simply pass it through unchanged, this would lead to things
like object() being serialised by just having str() called on it, which
may included spaces and other characters that are not allowed in cookie
values.

WebOb would send a RuntimeWarning:

RuntimeWarning: Cookie value contains invalid bytes: (b'   '). Future
versions will raise ValueError upon encountering invalid bytes.

This fix warns the user of the library directly, and makes sure to
call str() on the provided userid, AND then encode it as base64. The
user won't get back the original object after decoding on a
request/response round-trip, but at least no cookies are being generated
that are invalid.
---
 pyramid/authentication.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/pyramid/authentication.py b/pyramid/authentication.py
index e6b888db2..8d0adfa3d 100644
--- a/pyramid/authentication.py
+++ b/pyramid/authentication.py
@@ -5,6 +5,7 @@ import hashlib
 import base64
 import re
 import time as time_mod
+import warnings
 
 from zope.interface import implementer
 
@@ -947,8 +948,19 @@ class AuthTktCookieHelper(object):
 
         if encoding_data:
             encoding, encoder = encoding_data
-            userid = encoder(userid)
-            user_data = 'userid_type:%s' % encoding
+        else:
+            warnings.warn(
+                "userid is of type {}, and is not supported by the "
+                "AuthTktAuthenticationPolicy. Explicitly converting to string "
+                "and storing as base64. Subsequent requests will receive a "
+                "string as the userid, it will not be decoded back to the type "
+                "provided.".format(type(userid)), RuntimeWarning
+            )
+            encoding, encoder = self.userid_type_encoders.get(text_type)
+            userid = str(userid)
+
+        userid = encoder(userid)
+        user_data = 'userid_type:%s' % encoding
 
         new_tokens = []
         for token in tokens:
-- 
cgit v1.2.3