Commit 75b19aad authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.
parent 51aaed94
Pipeline #9560 failed with stage
in 0 seconds
......@@ -110,66 +110,66 @@ def modifyRequest(self, req, resp):
cookie login is disabled for this request, raises
CookieCrumblerDisabled.
"""
if (req.__class__ is not HTTPRequest
or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
or req.environ.has_key('WEBDAV_SOURCE_PORT')):
raise CookieCrumblerDisabled
req.post_traverse(balancer_cookie_hook, (self, req, resp))
# attempt may contain information about an earlier attempt to
# authenticate using a higher-up cookie crumbler within the
# same request.
attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
if attempt == ATTEMPT_NONE:
if req._auth:
# An auth header was provided and no cookie crumbler
# created it. The user must be using basic auth.
raise CookieCrumblerDisabled
if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
# Attempt to log in and set cookies.
attempt = ATTEMPT_LOGIN
name = req[self.name_cookie]
pw = req[self.pw_cookie]
ac = standard_b64encode('%s:%s' % (name, pw))
self._setAuthHeader(ac, req, resp)
if req.get(self.persist_cookie, 0):
# Persist the user name (but not the pw or session)
expires = (DateTime() + 365).toZone('GMT').rfc822()
resp.setCookie(self.name_cookie, name,
path=self.getCookiePath(),
expires=expires)
else:
# Expire the user name
resp.expireCookie(self.name_cookie,
path=self.getCookiePath())
method = self.getCookieMethod( 'setAuthCookie'
, self.defaultSetAuthCookie )
method( resp, self.auth_cookie, quote( ac ) )
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
if ac and ac != 'deleted':
try:
standard_b64decode(ac)
except:
# Not a valid auth header.
pass
enabled = (req.__class__ is HTTPRequest
and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
and 'WEBDAV_SOURCE_PORT' not in req.environ)
if enabled:
req.post_traverse(balancer_cookie_hook, (self, req, resp))
# attempt may contain information about an earlier attempt to
# authenticate using a higher-up cookie crumbler within the
# same request.
attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
if attempt == ATTEMPT_NONE:
if req._auth:
# An auth header was provided and no cookie crumbler
# created it. The user must be using basic auth.
enabled = False
elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
# Attempt to log in and set cookies.
attempt = ATTEMPT_LOGIN
name = req[self.name_cookie]
pw = req[self.pw_cookie]
ac = standard_b64encode('%s:%s' % (name, pw))
self._setAuthHeader(ac, req, resp)
if req.get(self.persist_cookie, 0):
# Persist the user name (but not the pw or session)
expires = (DateTime() + 365).toZone('GMT').rfc822()
resp.setCookie(self.name_cookie, name,
path=self.getCookiePath(),
expires=expires)
else:
attempt = ATTEMPT_RESUME
self._setAuthHeader(ac, req, resp)
self.delRequestVar(req, self.auth_cookie)
method = self.getCookieMethod(
'twiddleAuthCookie', None)
if method is not None:
method(resp, self.auth_cookie, quote(ac))
# Expire the user name
resp.expireCookie(self.name_cookie,
path=self.getCookiePath())
method = self.getCookieMethod( 'setAuthCookie'
, self.defaultSetAuthCookie )
method( resp, self.auth_cookie, quote( ac ) )
elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
if ac and ac != 'deleted':
try:
standard_b64decode(ac)
except:
# Not a valid auth header.
pass
else:
attempt = ATTEMPT_RESUME
self._setAuthHeader(ac, req, resp)
self.delRequestVar(req, self.auth_cookie)
method = self.getCookieMethod(
'twiddleAuthCookie', None)
if method is not None:
method(resp, self.auth_cookie, quote(ac))
self.delRequestVar(req, self.auth_cookie)
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
if not enabled:
raise CookieCrumblerDisabled
req._cookie_auth = attempt
return attempt
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment