[Checkins] SVN: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/ Fixed an issue where a bad cookie value would raise an inappropriate exception.

Malthe Borch mborch at gmail.com
Thu Dec 2 12:34:48 EST 2010 

Log message for revision 118673:
  Fixed an issue where a bad cookie value would raise an inappropriate exception.

Changed:
  U   Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
  U   Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py

-=-
Modified: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
===================================================================
--- Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-12-02 17:32:23 UTC (rev 118672)
+++ Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-12-02 17:34:48 UTC (rev 118673)
@@ -18,6 +18,7 @@
 """
 
 from base64 import encodestring, decodestring
+from binascii import Error
 from urllib import quote, unquote
 
 from AccessControl.SecurityInfo import ClassSecurityInfo
@@ -118,8 +119,14 @@
             creds['password'] = request.form.get('__ac_password', '')
 
         elif cookie and cookie != 'deleted':
-            cookie_val = decodestring(unquote(cookie))
+            raw = unquote(cookie)
             try:
+                cookie_val = decodestring(raw)
+            except Error:
+                # Cookie is in a different format, so it is not ours
+                return creds
+
+            try:
                 login, password = cookie_val.split(':')
             except ValueError:
                 # Cookie is in a different format, so it is not ours

Modified: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py
===================================================================
--- Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py	2010-12-02 17:32:23 UTC (rev 118672)
+++ Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py	2010-12-02 17:34:48 UTC (rev 118673)
@@ -203,7 +203,22 @@
         self.assertEqual(helper.extractCredentials(request),
                         {})
 
+    def test_extractCredentials_from_cookie_with_bad_binascii(self):
+        # this might happen between browser implementations
+        from base64 import encodestring
 
+        helper = self._makeOne()
+        response = FauxCookieResponse()
+        request = FauxSettableRequest(RESPONSE=response)
+
+        cookie_val = 'NjE2NDZkNjk2ZTo3MDZjNmY2ZTY1MzQ3NQ%3D%3D'[:-1]
+        request.set(helper.cookie_name, cookie_val)
+
+        self.assertEqual(helper.extractCredentials(request),
+                        {})
+
+
+
 if __name__ == "__main__":
     unittest.main()

More information about the checkins mailing list