Commit 75b19aad authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.
parent 51aaed94
Pipeline #9560 failed with stage
in 0 seconds
...@@ -110,66 +110,66 @@ def modifyRequest(self, req, resp): ...@@ -110,66 +110,66 @@ def modifyRequest(self, req, resp):
cookie login is disabled for this request, raises cookie login is disabled for this request, raises
CookieCrumblerDisabled. CookieCrumblerDisabled.
""" """
if (req.__class__ is not HTTPRequest enabled = (req.__class__ is HTTPRequest
or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST') and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
or req.environ.has_key('WEBDAV_SOURCE_PORT')): and 'WEBDAV_SOURCE_PORT' not in req.environ)
raise CookieCrumblerDisabled if enabled:
req.post_traverse(balancer_cookie_hook, (self, req, resp))
req.post_traverse(balancer_cookie_hook, (self, req, resp))
# attempt may contain information about an earlier attempt to
# attempt may contain information about an earlier attempt to # authenticate using a higher-up cookie crumbler within the
# authenticate using a higher-up cookie crumbler within the # same request.
# same request. attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
if attempt == ATTEMPT_NONE:
if attempt == ATTEMPT_NONE: if req._auth:
if req._auth: # An auth header was provided and no cookie crumbler
# An auth header was provided and no cookie crumbler # created it. The user must be using basic auth.
# created it. The user must be using basic auth. enabled = False
raise CookieCrumblerDisabled elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
# Attempt to log in and set cookies.
if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie): attempt = ATTEMPT_LOGIN
# Attempt to log in and set cookies. name = req[self.name_cookie]
attempt = ATTEMPT_LOGIN pw = req[self.pw_cookie]
name = req[self.name_cookie] ac = standard_b64encode('%s:%s' % (name, pw))
pw = req[self.pw_cookie] self._setAuthHeader(ac, req, resp)
ac = standard_b64encode('%s:%s' % (name, pw)) if req.get(self.persist_cookie, 0):
self._setAuthHeader(ac, req, resp) # Persist the user name (but not the pw or session)
if req.get(self.persist_cookie, 0): expires = (DateTime() + 365).toZone('GMT').rfc822()
# Persist the user name (but not the pw or session) resp.setCookie(self.name_cookie, name,
expires = (DateTime() + 365).toZone('GMT').rfc822() path=self.getCookiePath(),
resp.setCookie(self.name_cookie, name, expires=expires)
path=self.getCookiePath(),
expires=expires)
else:
# Expire the user name
resp.expireCookie(self.name_cookie,
path=self.getCookiePath())
method = self.getCookieMethod( 'setAuthCookie'
, self.defaultSetAuthCookie )
method( resp, self.auth_cookie, quote( ac ) )
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
if ac and ac != 'deleted':
try:
standard_b64decode(ac)
except:
# Not a valid auth header.
pass
else: else:
attempt = ATTEMPT_RESUME # Expire the user name
self._setAuthHeader(ac, req, resp) resp.expireCookie(self.name_cookie,
self.delRequestVar(req, self.auth_cookie) path=self.getCookiePath())
method = self.getCookieMethod( method = self.getCookieMethod( 'setAuthCookie'
'twiddleAuthCookie', None) , self.defaultSetAuthCookie )
if method is not None: method( resp, self.auth_cookie, quote( ac ) )
method(resp, self.auth_cookie, quote(ac)) elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
if ac and ac != 'deleted':
try:
standard_b64decode(ac)
except:
# Not a valid auth header.
pass
else:
attempt = ATTEMPT_RESUME
self._setAuthHeader(ac, req, resp)
self.delRequestVar(req, self.auth_cookie)
method = self.getCookieMethod(
'twiddleAuthCookie', None)
if method is not None:
method(resp, self.auth_cookie, quote(ac))
self.delRequestVar(req, self.auth_cookie)
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
if not enabled:
raise CookieCrumblerDisabled
req._cookie_auth = attempt req._cookie_auth = attempt
return attempt return attempt
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment