[Zope-PAS] [Checkins] SVN: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/ Fixed possible TypeError in extractCredentials of CookieAuthHelper when the __ac cookie is not ours (but e.g. from plone.session, though even then only in a corner case).

Wichert Akkerman wichert at wiggy.net
Thu Aug 12 13:44:54 EDT 2010


Hi Maurits,

On 2010-8-12 16:43, Maurits van Rees wrote:
> Log message for revision 115650:
>    Fixed possible TypeError in extractCredentials of CookieAuthHelper when the __ac cookie is not ours (but e.g. from plone.session, though even then only in a corner case).
>
> Changed:
>    U   Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
>    U   Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py
>
> -=-
> Modified: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
> ===================================================================
> --- Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-08-12 09:03:42 UTC (rev 115649)
> +++ Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py	2010-08-12 14:43:10 UTC (rev 115650)
> @@ -125,8 +125,12 @@
>                   # Cookie is in a different format, so it is not ours
>                   return creds
>
> -            creds['login'] = login.decode('hex')
> -            creds['password'] = password.decode('hex')
> +            try:
> +                creds['login'] = login.decode('hex')
> +                creds['password'] = password.decode('hex')
> +            except TypeError:
> +                # Cookie is in a different format, so it is not ours
> +                return creds

That looks incorrect: if the password.decode fails you are now returning 
a half credential set with only login set, instead of an empty set.

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>   It is simple to make things.
http://www.wiggy.net/                  It is hard to make things simple.


More information about the Zope-PAS mailing list