Brian Bird
brian.bird at securetrading.com
Mon Sep 6 12:11:24 EDT 2004
I posted a similar question about this a while ago but got no reply, so I've done some more investigation: In Session.py, the BaseSession class takes an optional secret parameter. However, when the cookie is created it's type is not checked to ensure it is of type "SignedCookie" instead of just "Cookie". The documentation (http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html) says you must do this otherwise the secret parameter is essentially irrelevant. (I can't write my own subclass to fix this because the cookies variable is local and unavailable to subclasses) I'd suggest having an extra couple of lines at line 117 of Session.py saying something like: if secret and (type(cookies[COOKIE_NAME]) is not Cookie.SignedCookie): raise Exception("Tampered Cookie") Or perhaps instead of raising an exception we should just not set self._sid which will mean the existing cookie will be ignored: if cookies.has_key(COOKIE_NAME): if secret and (type(cookies[COOKIE_NAME]) is not Cookie.SignedCookie): pass else: self._sid = cookies[COOKIE_NAME].value Any comments? I need this fixing for the project I'm writing - if there are no better suggestions, how do I get this patched? I think the second solution is better (but only because it's more convenient for my particular project ;-) so perhaps someone can think of a more generic solution? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://modpython.org/pipermail/mod_python/attachments/20040906/9f5126e2/attachment.html
|