From 69b613db258d71caa925f0165030b9974a1610ca Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 21 Feb 2014 21:51:53 -0600 Subject: test cases to reproduce #1246 --- pyramid/tests/test_session.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 1ad0729b3..6bce764ca 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -519,7 +519,7 @@ def serialize(data, secret): from pyramid.compat import native_ from pyramid.compat import pickle pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, sha1).hexdigest() + sig = hmac.new(bytes_(secret, 'utf-8'), pickled, sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) class Test_signed_serialize(unittest.TestCase): @@ -531,6 +531,12 @@ class Test_signed_serialize(unittest.TestCase): expected = serialize('123', 'secret') result = self._callFUT('123', 'secret') self.assertEqual(result, expected) + + def test_it_with_highorder_secret(self): + secret = b'La Pe\xc3\xb1a'.decode('utf-8') + expected = serialize('123', secret) + result = self._callFUT('123', secret) + self.assertEqual(result, expected) class Test_signed_deserialize(unittest.TestCase): def _callFUT(self, serialized, secret, hmac=None): @@ -562,6 +568,12 @@ class Test_signed_deserialize(unittest.TestCase): serialized = 'bad' + serialize('123', 'secret') self.assertRaises(ValueError, self._callFUT, serialized, 'secret') + def test_it_with_highorder_secret(self): + secret = b'La Pe\xc3\xb1a'.decode('utf-8') + serialized = serialize('123', secret) + result = self._callFUT(serialized, secret) + self.assertEqual(result, '123') + class Test_check_csrf_token(unittest.TestCase): def _callFUT(self, *args, **kwargs): from ..session import check_csrf_token -- cgit v1.2.3 From adcacf48dbf6eb84a1c1661918f3fb093a929bc2 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 21 Feb 2014 21:52:14 -0600 Subject: support high-order characters in UnencryptedCookieSessionFactoryConfig secrets --- CHANGES.txt | 3 +++ pyramid/session.py | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 84d0694e3..6372c904d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,9 @@ Unreleased - Avoid crash in ``pserve --reload`` under Py3k, when iterating over posiibly mutated ``sys.modules``. +- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained + higher order characters. See https://github.com/Pylons/pyramid/issues/1246 + 1.5b1 (2014-02-08) ================== diff --git a/pyramid/session.py b/pyramid/session.py index 3a045b91b..d1964c43e 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -57,7 +57,7 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest() + sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -81,7 +81,9 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()) + sig = bytes_(hmac.new( + bytes_(secret, 'utf-8'), pickled, hashlib.sha1, + ).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) -- cgit v1.2.3 From cf026e2cd8704a679dd83760907d8847deabb18e Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 21 Feb 2014 22:33:33 -0600 Subject: fix regression with code expecting secrets to be encoded with latin-1 --- pyramid/session.py | 16 ++++++++++++---- pyramid/tests/test_session.py | 17 +++++++++++++++-- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/pyramid/session.py b/pyramid/session.py index d1964c43e..4dc7bda74 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -57,7 +57,12 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest() + try: + # bw-compat with pyramid <= 1.5b1 where latin1 is the default + secret = bytes_(secret) + except UnicodeEncodeError: + secret = bytes_(secret, 'utf-8') + sig = hmac.new(secret, pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -81,9 +86,12 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new( - bytes_(secret, 'utf-8'), pickled, hashlib.sha1, - ).hexdigest()) + try: + # bw-compat with pyramid <= 1.5b1 where latin1 is the default + secret = bytes_(secret) + except UnicodeEncodeError: + secret = bytes_(secret, 'utf-8') + sig = bytes_(hmac.new(secret, pickled, hashlib.sha1).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 6bce764ca..f1b1e2296 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -533,10 +533,16 @@ class Test_signed_serialize(unittest.TestCase): self.assertEqual(result, expected) def test_it_with_highorder_secret(self): - secret = b'La Pe\xc3\xb1a'.decode('utf-8') + secret = b'\xce\xb1\xce\xb2\xce\xb3\xce\xb4'.decode('utf-8') expected = serialize('123', secret) result = self._callFUT('123', secret) self.assertEqual(result, expected) + + def test_it_with_latin1_secret(self): + secret = b'La Pe\xc3\xb1a' + expected = serialize('123', secret) + result = self._callFUT('123', secret.decode('latin-1')) + self.assertEqual(result, expected) class Test_signed_deserialize(unittest.TestCase): def _callFUT(self, serialized, secret, hmac=None): @@ -569,11 +575,18 @@ class Test_signed_deserialize(unittest.TestCase): self.assertRaises(ValueError, self._callFUT, serialized, 'secret') def test_it_with_highorder_secret(self): - secret = b'La Pe\xc3\xb1a'.decode('utf-8') + secret = b'\xce\xb1\xce\xb2\xce\xb3\xce\xb4'.decode('utf-8') serialized = serialize('123', secret) result = self._callFUT(serialized, secret) self.assertEqual(result, '123') + # bwcompat with pyramid <= 1.5b1 where latin1 is the default + def test_it_with_latin1_secret(self): + secret = b'La Pe\xc3\xb1a' + serialized = serialize('123', secret) + result = self._callFUT(serialized, secret.decode('latin-1')) + self.assertEqual(result, '123') + class Test_check_csrf_token(unittest.TestCase): def _callFUT(self, *args, **kwargs): from ..session import check_csrf_token -- cgit v1.2.3 From 1bd3157143c7ae6e0a35fa07e4f0888ddd347ab5 Mon Sep 17 00:00:00 2001 From: Robert Buchholz Date: Mon, 3 Mar 2014 16:24:31 +0100 Subject: Hand RepozeWho1AuthenticationPolicy.remember kwargs to repoze.who #1249 Documentation for pyramid.security.remember supports keyword arguments to hand over to the authentication policy. However, when using RepozeWho1AuthenticationPolicy, all of the kw were dropped in remember. It is my understanding that with repoze.who, additional configuration parameters shall be stored in the identity dictionary. In our case, setting the max_age parameter to the authtkt identifier, would be done using an identity {'repoze.who.userid':principal, 'max_age': 23}. It seems sensible just to hand over kw through the identity dictionary and all users to specify max_age or other parameters such as userdata. --- pyramid/authentication.py | 11 +++++++++-- pyramid/tests/test_authentication.py | 8 ++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/pyramid/authentication.py b/pyramid/authentication.py index ba7b864f9..b84981bbc 100644 --- a/pyramid/authentication.py +++ b/pyramid/authentication.py @@ -336,12 +336,19 @@ class RepozeWho1AuthenticationPolicy(CallbackAuthenticationPolicy): return effective_principals def remember(self, request, principal, **kw): - """ Store the ``principal`` as ``repoze.who.userid``.""" + """ Store the ``principal`` as ``repoze.who.userid``. + + The identity to authenticated to :mod:`repoze.who` + will contain the given principal as ``userid``, and + provide all keyword arguments as additional identity + keys. Useful keys could be ``max_age`` or ``userdata``. + """ identifier = self._get_identifier(request) if identifier is None: return [] environ = request.environ - identity = {'repoze.who.userid':principal} + identity = kw + identity['repoze.who.userid'] = principal return identifier.remember(environ, identity) def forget(self, request): diff --git a/pyramid/tests/test_authentication.py b/pyramid/tests/test_authentication.py index 79d2a5923..e25e9faa1 100644 --- a/pyramid/tests/test_authentication.py +++ b/pyramid/tests/test_authentication.py @@ -350,6 +350,14 @@ class TestRepozeWho1AuthenticationPolicy(unittest.TestCase): self.assertEqual(result[0], request.environ) self.assertEqual(result[1], {'repoze.who.userid':'fred'}) + def test_remember_kwargs(self): + authtkt = DummyWhoPlugin() + request = DummyRequest( + {'repoze.who.plugins':{'auth_tkt':authtkt}}) + policy = self._makeOne() + result = policy.remember(request, 'fred', max_age=23) + self.assertEqual(result[1], {'repoze.who.userid':'fred', 'max_age': 23}) + def test_forget_no_plugins(self): request = DummyRequest({}) policy = self._makeOne() -- cgit v1.2.3 From 71c979fb9a89cffdc57a9533a61101483c23b93b Mon Sep 17 00:00:00 2001 From: Daniel Haaker Date: Wed, 26 Mar 2014 09:56:15 +0100 Subject: Remove whitespace before the open parenthesis --- docs/quick_tutorial/hello_world/app.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/quick_tutorial/hello_world/app.py b/docs/quick_tutorial/hello_world/app.py index 210075023..0a95f9ad3 100644 --- a/docs/quick_tutorial/hello_world/app.py +++ b/docs/quick_tutorial/hello_world/app.py @@ -4,7 +4,7 @@ from pyramid.response import Response def hello_world(request): - print ('Incoming request') + print('Incoming request') return Response('

Hello World!

') @@ -14,4 +14,4 @@ if __name__ == '__main__': config.add_view(hello_world, route_name='hello') app = config.make_wsgi_app() server = make_server('0.0.0.0', 6543, app) - server.serve_forever() \ No newline at end of file + server.serve_forever() -- cgit v1.2.3 From 92b27dc06a4a73ea4ff0649855a5a84cd30b458c Mon Sep 17 00:00:00 2001 From: Daniel Haaker Date: Wed, 26 Mar 2014 10:10:54 +0100 Subject: Update hello_world.rst Modify 'Extra Credit' to reflect code example --- docs/quick_tutorial/hello_world.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/quick_tutorial/hello_world.rst b/docs/quick_tutorial/hello_world.rst index 86e1319f0..1a9ba4c9d 100644 --- a/docs/quick_tutorial/hello_world.rst +++ b/docs/quick_tutorial/hello_world.rst @@ -96,13 +96,13 @@ Extra Credit .. code-block:: python - print ('Starting up server on http://localhost:6547') + print('Incoming request') ...instead of: .. code-block:: python - print 'Starting up server on http://localhost:6547' + print 'Incoming request' #. What happens if you return a string of HTML? A sequence of integers? -- cgit v1.2.3