[mod_python] Bug in BaseSession.py

Brian Bird brian.bird at securetrading.com
Mon Sep 6 12:11:24 EDT 2004


I posted a similar question about this a while ago but got no reply, so I've
done some more investigation:

In Session.py, the BaseSession class takes an optional secret parameter.
However, when the cookie is created it's type is not checked to ensure it is
of type "SignedCookie" instead of just "Cookie". The documentation
(http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html)
says you must do this otherwise the secret parameter is essentially
irrelevant.

(I can't write my own subclass to fix this because the cookies variable is
local and unavailable to subclasses)

I'd suggest having an extra couple of lines at line 117 of Session.py saying
something like:

if secret and (type(cookies[COOKIE_NAME]) is not Cookie.SignedCookie):
	raise Exception("Tampered Cookie")

Or perhaps instead of raising an exception we should just not set self._sid
which will mean the existing cookie will be ignored:

if cookies.has_key(COOKIE_NAME):
	if secret and (type(cookies[COOKIE_NAME]) is not
Cookie.SignedCookie):
		pass
	else:
		self._sid = cookies[COOKIE_NAME].value


Any comments? I need this fixing for the project I'm writing - if there are
no better suggestions, how do I get this patched? I think the second
solution is better (but only because it's more convenient for my particular
project ;-) so perhaps someone can think of a more generic solution?

Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://modpython.org/pipermail/mod_python/attachments/20040906/9f5126e2/attachment.html


More information about the Mod_python mailing list