[ZCM] [ZC] 1226/ 4 Resolve "ZTUtils.encodestring change breaks tree state, cookie auth"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Tue May 4 15:34:43 EDT 2004 

Issue #1226 Update (Resolve) "ZTUtils.encodestring change breaks tree state, cookie auth"
 Status Resolved, Zope/bug+solution medium
To followup, visit:
  http://collector.zope.org/Zope/1226

==============================================================
= Resolve - Entry #4 by Caseman on May 4, 2004 3:34 pm

 Status: Pending => Resolved

Fixed on HEAD and 2.7 branch
________________________________________
= Comment - Entry #3 by efge on Feb 11, 2004 2:31 pm

There's more to it. base64.encodestring() actually also inserts a '\n' every 76 characters. Doing .replace('\n', '') would be better.

________________________________________
= Comment - Entry #2 by maru on Feb 11, 2004 2:14 pm

ZTUtils.Tree as it appears in Zope 2.7.0rc's 1 and 2 is actually version 1.15.2.4.  1.18 is an identical cvs version.
________________________________________
= Request - Entry #1 by maru on Feb 11, 2004 2:07 pm

Version 1.18 of ZTUtils.Tree was modified to use the base64 module in place of binascii to encode/decode strings.  However, the documentation of base64 (http://python.org/doc/2.3.3/lib/module-base64.html) clearly states that the encodestring method adds a trailing newline.  

This trailing newline makes a mess of the response cookies.  When the cookie is formatted (Zpublisher.HTTPResponse._cookie_list, L797) the newline causes the closing quote to appear on the next line.   While the cookie value appears to be set properly on the client, any subsequent request to the server will send a garbled cookie.  With no closing quote, the tree state variable will eat the name of the subsequent cookie until it finds the next available quote character:

    acdp-nav-tree-state="AAAAAAAAEA8_; __ac_name="contentdeveloper";

When this cookie is read, the value of the tree state variable will be equal to “AAAAAAAAEA8_; __ac_name=" and the __ac_name variable will effectively disappear.  This breaks both tree navigation and cookie-based authentication.

This fix is simple – the newline must be removed from the result of base64.encodestring in ZTUtils.Tree.b2a, by using strip or cutting off the trailing character via slicing:

  235c235
  <     return translate(base64.encodestring(str(s)), a2u_map)
  ---
  >     return translate(base64.encodestring(str(s)).strip(), a2u_map)
  or 
  >     return translate(base64.encodestring(str(s))[:-1], a2u_map)


As an aside, it may be a good idea for HTTPResponse to automatically remove all invalid characters from cookie properties or log an error when they are encountered to prevent this type of problem from recurring.

==============================================================

More information about the Zope-Collector-Monitor mailing list