[Checkins] SVN: Products.PluggableAuthService/trunk/ Merge r115650 from branches/1.6:

Maurits van Rees m.van.rees at zestsoftware.nl
Thu Aug 12 10:51:45 EDT 2010 

Log message for revision 115651:
  Merge r115650 from branches/1.6:
  Fixed possible TypeError in extractCredentials of CookieAuthHelper when the __ac cookie is not ours
  (but e.g. from plone.session, though even then only in a corner case).

Changed:
  U   Products.PluggableAuthService/trunk/CHANGES.txt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py

-=-
Modified: Products.PluggableAuthService/trunk/CHANGES.txt
===================================================================
--- Products.PluggableAuthService/trunk/CHANGES.txt	2010-08-12 14:43:10 UTC (rev 115650)
+++ Products.PluggableAuthService/trunk/CHANGES.txt	2010-08-12 14:51:44 UTC (rev 115651)
@@ -4,6 +4,10 @@
 1.7.1 (2010-07-01)
 ------------------
 
+- Fixed possible TypeError in extractCredentials of CookieAuthHelper
+  when the __ac cookie is not ours (but e.g. from plone.session,
+  though even then only in a corner case).
+
 - Made ``ZODBRoleManager.assignRoleToPrincipal`` raise and log a more
   informative error when detecting a duplicate principal.
   https://bugs.launchpad.net/zope-pas/+bug/348795

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-08-12 14:43:10 UTC (rev 115650)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-08-12 14:51:44 UTC (rev 115651)
@@ -124,8 +124,12 @@
                 # Cookie is in a different format, so it is not ours
                 return creds
 
-            creds['login'] = login.decode('hex')
-            creds['password'] = password.decode('hex')
+            try:
+                creds['login'] = login.decode('hex')
+                creds['password'] = password.decode('hex')
+            except TypeError:
+                # Cookie is in a different format, so it is not ours
+                return creds
 
         if creds:
             creds['remote_host'] = request.get('REMOTE_HOST', '')

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py	2010-08-12 14:43:10 UTC (rev 115650)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py	2010-08-12 14:51:44 UTC (rev 115651)
@@ -186,7 +186,23 @@
                          'remote_host': '', 
                          'remote_address': ''}) 
 
+    def test_extractCredentials_from_cookie_with_colon_that_is_not_ours(self): 
+        # http://article.gmane.org/gmane.comp.web.zope.plone.product-developers/5145
+        from base64 import encodestring
 
+        helper = self._makeOne()
+        response = FauxCookieResponse()
+        request = FauxSettableRequest(RESPONSE=response)
+
+        cookie_str = 'cookie:from_other_plugin'
+        cookie_val = encodestring(cookie_str)
+        cookie_val = cookie_val.rstrip()
+        request.set(helper.cookie_name, cookie_val)
+
+        self.assertEqual(helper.extractCredentials(request),
+                        {})
+
+
 if __name__ == "__main__":
     unittest.main()

More information about the checkins mailing list