[Zope-PAS] CookieAuthHelper.
Florent Guillaume
fg at nuxeo.com
Thu Nov 18 13:50:10 EST 2004
I think the idea is that it's bad to leave secret information left in
the request after it's been used during traversal, in case the request
object is later seen by an untrusted party.
CookieCrumbler basically does:
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
Florent
> Index: CookieAuthHelper.py
> ===================================================================
> RCS
> file:
> /home/dixonhughes_com/cvs_efr/Products/PluggableAuthService/plugins/CookieAuthHelper.py,v
> retrieving revision 1.2
> diff -u -r1.2 CookieAuthHelper.py
> --- CookieAuthHelper.py 8 Nov 2004 09:11:37 -0000 1.2
> +++ CookieAuthHelper.py 14 Nov 2004 03:47:15 -0000
> @@ -117,8 +117,8 @@
> creds['login'] = login
> creds['password'] = password
>
> - request.set('__ac_name', '')
> - request.set('__ac_password', '')
> + #request.set('__ac_name', '')
> + #request.set('__ac_password', '')
>
> if creds:
> creds['remote_host'] = request.get('REMOTE_HOST', '')
>
> The problem was that the request.set puts "__ac_name" and
> "__ac_password" (both as blank strings) into the REQUEST.other
> dictionary. I have no idea why this is done.
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope-PAS
mailing list