You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2007/05/01 12:49:15 UTC

[jira] Closed: (MODPYTHON-191) Tampering with signed cookies.

     [ https://issues.apache.org/jira/browse/MODPYTHON-191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Graham Dumpleton closed MODPYTHON-191.
--------------------------------------


> Tampering with signed cookies.
> ------------------------------
>
>                 Key: MODPYTHON-191
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-191
>             Project: mod_python
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.2.10
>            Reporter: Graham Dumpleton
>         Assigned To: Graham Dumpleton
>             Fix For: 3.3
>
>
> As reported by Andy Pearce in:
>   http://mail-archives.apache.org/mod_mbox/httpd-python-dev/200609.mbox/%3c44F824E2.4040304@jgassociates.ca%3e
> Andy Pearce wrote:
> > 
> > Hi,
> > 
> > I think I might have spotted a slight bug in Session.py. When the 
> > 'secret' parameter is supplied to use the SignedCookie class, it appears 
> > that __init__ of BaseSession doesn't check the return type of 
> > get_cookies().
> > 
> > If I understand the SignedCookie docs correctly, if the cookie value 
> > doesn't match its signature, it simply returns the contents as a Cookie 
> > rather than a SignedCookie (indicating that the user tampered with their 
> > cookie before sending it back).
> > 
> > However, there is no check in BaseSession's __init__ that the return of 
> > get_cookies() is a SignedCookie in the case that 'secret' is supplied.
> > 
> > Perhaps a minor point, but it would seem to make the option of using 
> > SignedCookies rather pointless, since the signature isn't being checked. 
> > Presumably if the cookie has been tampered with, your only safe option 
> > is to throw it away and generate a new one. I think this can be achieved 
> > by changing the lines:
> > 
> >     if cookies.has_key(session_cookie_name):
> >         self._sid = cookies[session_cookie_name].value
> > 
> > To something like:
> > 
> >     if cookies.has_key(session_cookie_name):
> >     if not secret or type(cookes[session_cookie_name]) \
> >            is Cookie.SignedCookie:
> >             self._sid = cookies[session_cookie_name].value
> > 
> > I'm fairly new to mod_python, so if I'm mistaken then my apologies, and 
> > a quick explanation of why would be very much appreciated! ^_^
> > 
> > Thanks,
> > 
> >     - Andy
> > 
> Is this correct and should the change suggested appropriate?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.