quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Dumpleton (JIRA)" <j...@apache.org>
Subject [jira] Work started: (MODPYTHON-191) Tampering with signed cookies.
Date Tue, 31 Oct 2006 05:43:58 GMT
     [ http://issues.apache.org/jira/browse/MODPYTHON-191?page=all ]

Work on MODPYTHON-191 started by Graham Dumpleton.

> Tampering with signed cookies.
> ------------------------------
>
>                 Key: MODPYTHON-191
>                 URL: http://issues.apache.org/jira/browse/MODPYTHON-191
>             Project: mod_python
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.2.10
>            Reporter: Graham Dumpleton
>         Assigned To: Graham Dumpleton
>             Fix For: 3.3
>
>
> As reported by Andy Pearce in:
>   http://mail-archives.apache.org/mod_mbox/httpd-python-dev/200609.mbox/%3c44F824E2.4040304@jgassociates.ca%3e
> Andy Pearce wrote:
> > 
> > Hi,
> > 
> > I think I might have spotted a slight bug in Session.py. When the 
> > 'secret' parameter is supplied to use the SignedCookie class, it appears 
> > that __init__ of BaseSession doesn't check the return type of 
> > get_cookies().
> > 
> > If I understand the SignedCookie docs correctly, if the cookie value 
> > doesn't match its signature, it simply returns the contents as a Cookie 
> > rather than a SignedCookie (indicating that the user tampered with their 
> > cookie before sending it back).
> > 
> > However, there is no check in BaseSession's __init__ that the return of 
> > get_cookies() is a SignedCookie in the case that 'secret' is supplied.
> > 
> > Perhaps a minor point, but it would seem to make the option of using 
> > SignedCookies rather pointless, since the signature isn't being checked. 
> > Presumably if the cookie has been tampered with, your only safe option 
> > is to throw it away and generate a new one. I think this can be achieved 
> > by changing the lines:
> > 
> >     if cookies.has_key(session_cookie_name):
> >         self._sid = cookies[session_cookie_name].value
> > 
> > To something like:
> > 
> >     if cookies.has_key(session_cookie_name):
> >     if not secret or type(cookes[session_cookie_name]) \
> >            is Cookie.SignedCookie:
> >             self._sid = cookies[session_cookie_name].value
> > 
> > I'm fairly new to mod_python, so if I'm mistaken then my apologies, and 
> > a quick explanation of why would be very much appreciated! ^_^
> > 
> > Thanks,
> > 
> >     - Andy
> > 
> Is this correct and should the change suggested appropriate?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message