From adcacf48dbf6eb84a1c1661918f3fb093a929bc2 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 21 Feb 2014 21:52:14 -0600 Subject: support high-order characters in UnencryptedCookieSessionFactoryConfig secrets --- CHANGES.txt | 3 +++ pyramid/session.py | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 84d0694e3..6372c904d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,9 @@ Unreleased - Avoid crash in ``pserve --reload`` under Py3k, when iterating over posiibly mutated ``sys.modules``. +- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained + higher order characters. See https://github.com/Pylons/pyramid/issues/1246 + 1.5b1 (2014-02-08) ================== diff --git a/pyramid/session.py b/pyramid/session.py index 3a045b91b..d1964c43e 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -57,7 +57,7 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest() + sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -81,7 +81,9 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()) + sig = bytes_(hmac.new( + bytes_(secret, 'utf-8'), pickled, hashlib.sha1, + ).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) -- cgit v1.2.3