[Zope-PAS] [Checkins] SVN: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/ Fixed possible TypeError in extractCredentials of CookieAuthHelper when the __ac cookie is not ours (but e.g. from plone.session, though even then only in a corner case).
Wichert Akkerman
wichert at wiggy.net
Thu Aug 12 13:44:54 EDT 2010
Hi Maurits,
On 2010-8-12 16:43, Maurits van Rees wrote:
> Log message for revision 115650:
> Fixed possible TypeError in extractCredentials of CookieAuthHelper when the __ac cookie is not ours (but e.g. from plone.session, though even then only in a corner case).
>
> Changed:
> U Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
> U Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/tests/test_CookieAuthHelper.py
>
> -=-
> Modified: Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py
> ===================================================================
> --- Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py 2010-08-12 09:03:42 UTC (rev 115649)
> +++ Products.PluggableAuthService/branches/1.6/Products/PluggableAuthService/plugins/CookieAuthHelper.py 2010-08-12 14:43:10 UTC (rev 115650)
> @@ -125,8 +125,12 @@
> # Cookie is in a different format, so it is not ours
> return creds
>
> - creds['login'] = login.decode('hex')
> - creds['password'] = password.decode('hex')
> + try:
> + creds['login'] = login.decode('hex')
> + creds['password'] = password.decode('hex')
> + except TypeError:
> + # Cookie is in a different format, so it is not ours
> + return creds
That looks incorrect: if the password.decode fails you are now returning
a half credential set with only login set, instead of an empty set.
Wichert.
--
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the Zope-PAS
mailing list