From 69b613db258d71caa925f0165030b9974a1610ca Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 21 Feb 2014 21:51:53 -0600
Subject: test cases to reproduce #1246

---
 pyramid/tests/test_session.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py
index 1ad0729b3..6bce764ca 100644
--- a/pyramid/tests/test_session.py
+++ b/pyramid/tests/test_session.py
@@ -519,7 +519,7 @@ def serialize(data, secret):
     from pyramid.compat import native_
     from pyramid.compat import pickle
     pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL)
-    sig = hmac.new(bytes_(secret), pickled, sha1).hexdigest()
+    sig = hmac.new(bytes_(secret, 'utf-8'), pickled, sha1).hexdigest()
     return sig + native_(base64.b64encode(pickled))
 
 class Test_signed_serialize(unittest.TestCase):
@@ -531,6 +531,12 @@ class Test_signed_serialize(unittest.TestCase):
         expected = serialize('123', 'secret')
         result = self._callFUT('123', 'secret')
         self.assertEqual(result, expected)
+
+    def test_it_with_highorder_secret(self):
+        secret = b'La Pe\xc3\xb1a'.decode('utf-8')
+        expected = serialize('123', secret)
+        result = self._callFUT('123', secret)
+        self.assertEqual(result, expected)
         
 class Test_signed_deserialize(unittest.TestCase):
     def _callFUT(self, serialized, secret, hmac=None):
@@ -562,6 +568,12 @@ class Test_signed_deserialize(unittest.TestCase):
         serialized = 'bad' + serialize('123', 'secret')
         self.assertRaises(ValueError, self._callFUT, serialized, 'secret')
 
+    def test_it_with_highorder_secret(self):
+        secret = b'La Pe\xc3\xb1a'.decode('utf-8')
+        serialized = serialize('123', secret)
+        result = self._callFUT(serialized, secret)
+        self.assertEqual(result, '123')
+
 class Test_check_csrf_token(unittest.TestCase):
     def _callFUT(self, *args, **kwargs):
         from ..session import check_csrf_token
-- 
cgit v1.2.3


From adcacf48dbf6eb84a1c1661918f3fb093a929bc2 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 21 Feb 2014 21:52:14 -0600
Subject: support high-order characters in
 UnencryptedCookieSessionFactoryConfig secrets

---
 CHANGES.txt        | 3 +++
 pyramid/session.py | 6 ++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index 84d0694e3..6372c904d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,9 @@ Unreleased
 - Avoid crash in ``pserve --reload`` under Py3k, when iterating over posiibly
   mutated ``sys.modules``.
 
+- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained
+  higher order characters. See https://github.com/Pylons/pyramid/issues/1246
+
 1.5b1 (2014-02-08)
 ==================
 
diff --git a/pyramid/session.py b/pyramid/session.py
index 3a045b91b..d1964c43e 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -57,7 +57,7 @@ def signed_serialize(data, secret):
        response.set_cookie('signed_cookie', cookieval)
     """
     pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL)
-    sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()
+    sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest()
     return sig + native_(base64.b64encode(pickled))
 
 def signed_deserialize(serialized, secret, hmac=hmac):
@@ -81,7 +81,9 @@ def signed_deserialize(serialized, secret, hmac=hmac):
         # Badly formed data can make base64 die
         raise ValueError('Badly formed base64 data: %s' % e)
 
-    sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest())
+    sig = bytes_(hmac.new(
+        bytes_(secret, 'utf-8'), pickled, hashlib.sha1,
+    ).hexdigest())
 
     # Avoid timing attacks (see
     # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
-- 
cgit v1.2.3