ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also receiving the authentication cookie. It must not be kept in the request. And likewise for requests also containing an HTTP authentication header. And likewise for requests for which CookieCrumbler disables itself on.

ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.
Receiving name & password parameters does not prevent us from also receiving the authentication cookie. It must not be kept in the request. And likewise for requests also containing an HTTP authentication header. And likewise for requests for which CookieCrumbler disables itself on.
75b19aad · Vincent Pelletier · 51aaed94 · 75b19aad
Commit 75b19aad authored Jan 16, 2020 by Vincent Pelletier
Show whitespace changes
Inline Side-by-side

Showing with 59 additions and 59 deletions

product/ERP5Type/patches/CookieCrumbler.py product/ERP5Type/patches/CookieCrumbler.py +59 -59

No files found.
--- a/product/ERP5Type/patches/CookieCrumbler.py
+++ b/product/ERP5Type/patches/CookieCrumbler.py
@@ -110,11 +110,10 @@ def modifyRequest(self, req, resp):
  cookie login is disabled for this request, raises
  CookieCrumblerDisabled.
  """
-  if (req.__class__ is not HTTPRequest
+  enabled = (req.__class__ is HTTPRequest
-      or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
+      and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
-      or req.environ.has_key('WEBDAV_SOURCE_PORT')):
+      and 'WEBDAV_SOURCE_PORT' not in req.environ)
-      raise CookieCrumblerDisabled
+  if enabled:
    req.post_traverse(balancer_cookie_hook, (self, req, resp))
    # attempt may contain information about an earlier attempt to
@@ -126,9 +125,8 @@ def modifyRequest(self, req, resp):
      if req._auth:
        # An auth header was provided and no cookie crumbler
        # created it.  The user must be using basic auth.
-      raise CookieCrumblerDisabled
+        enabled = False
+      elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
-    if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
        # Attempt to log in and set cookies.
        attempt = ATTEMPT_LOGIN
        name = req[self.name_cookie]
@@ -148,9 +146,6 @@ def modifyRequest(self, req, resp):
        method = self.getCookieMethod( 'setAuthCookie'
                                       , self.defaultSetAuthCookie )
        method( resp, self.auth_cookie, quote( ac ) )
-      self.delRequestVar(req, self.name_cookie)
-      self.delRequestVar(req, self.pw_cookie)
      elif req.has_key(self.auth_cookie):
        # Attempt to resume a session if the cookie is valid.
        # Copy __ac to the auth header.
@@ -170,6 +165,11 @@ def modifyRequest(self, req, resp):
            if method is not None:
              method(resp, self.auth_cookie, quote(ac))
+  self.delRequestVar(req, self.auth_cookie)
+  self.delRequestVar(req, self.name_cookie)
+  self.delRequestVar(req, self.pw_cookie)
+  if not enabled:
+    raise CookieCrumblerDisabled
  req._cookie_auth = attempt
  return attempt