Commit 75b19aad authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.
parent 51aaed94
Pipeline #9560 failed with stage
in 0 seconds
...@@ -110,11 +110,10 @@ def modifyRequest(self, req, resp): ...@@ -110,11 +110,10 @@ def modifyRequest(self, req, resp):
cookie login is disabled for this request, raises cookie login is disabled for this request, raises
CookieCrumblerDisabled. CookieCrumblerDisabled.
""" """
if (req.__class__ is not HTTPRequest enabled = (req.__class__ is HTTPRequest
or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST') and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
or req.environ.has_key('WEBDAV_SOURCE_PORT')): and 'WEBDAV_SOURCE_PORT' not in req.environ)
raise CookieCrumblerDisabled if enabled:
req.post_traverse(balancer_cookie_hook, (self, req, resp)) req.post_traverse(balancer_cookie_hook, (self, req, resp))
# attempt may contain information about an earlier attempt to # attempt may contain information about an earlier attempt to
...@@ -126,9 +125,8 @@ def modifyRequest(self, req, resp): ...@@ -126,9 +125,8 @@ def modifyRequest(self, req, resp):
if req._auth: if req._auth:
# An auth header was provided and no cookie crumbler # An auth header was provided and no cookie crumbler
# created it. The user must be using basic auth. # created it. The user must be using basic auth.
raise CookieCrumblerDisabled enabled = False
elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
# Attempt to log in and set cookies. # Attempt to log in and set cookies.
attempt = ATTEMPT_LOGIN attempt = ATTEMPT_LOGIN
name = req[self.name_cookie] name = req[self.name_cookie]
...@@ -148,9 +146,6 @@ def modifyRequest(self, req, resp): ...@@ -148,9 +146,6 @@ def modifyRequest(self, req, resp):
method = self.getCookieMethod( 'setAuthCookie' method = self.getCookieMethod( 'setAuthCookie'
, self.defaultSetAuthCookie ) , self.defaultSetAuthCookie )
method( resp, self.auth_cookie, quote( ac ) ) method( resp, self.auth_cookie, quote( ac ) )
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
elif req.has_key(self.auth_cookie): elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid. # Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header. # Copy __ac to the auth header.
...@@ -170,6 +165,11 @@ def modifyRequest(self, req, resp): ...@@ -170,6 +165,11 @@ def modifyRequest(self, req, resp):
if method is not None: if method is not None:
method(resp, self.auth_cookie, quote(ac)) method(resp, self.auth_cookie, quote(ac))
self.delRequestVar(req, self.auth_cookie)
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
if not enabled:
raise CookieCrumblerDisabled
req._cookie_auth = attempt req._cookie_auth = attempt
return attempt return attempt
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment