You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-commits@quetz.apache.org by gr...@apache.org on 2003/07/24 22:51:08 UTC
cvs commit: httpd-python/Doc modpython4.tex
grisha 2003/07/24 13:51:08
Modified: lib/python/mod_python Cookie.py
Doc modpython4.tex
Log:
The SignedCookie and MarshalCookie will now downgrade to plain
Cookie if signature or unmarshal errors are encountered (intead of
raising an exception). This is necessary because the browser may
return "outside" cookies (e.g. set by mod_usertrack). As a side
effect, it is important to check the type of object returned, which
has been noted in the docs.
Revision Changes Path
1.7 +18 -8 httpd-python/lib/python/mod_python/Cookie.py
Index: Cookie.py
===================================================================
RCS file: /home/cvs/httpd-python/lib/python/mod_python/Cookie.py,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- Cookie.py 24 Jul 2003 19:00:46 -0000 1.6
+++ Cookie.py 24 Jul 2003 20:51:08 -0000 1.7
@@ -210,12 +210,17 @@
is still plainly visible as part of the cookie.
"""
- def parse(Class, secret, str):
+ def parse(Class, secret, s):
- dict = _parseCookie(str, Class)
+ dict = _parseCookie(s, Class)
for k in dict:
- dict[k].unsign(secret)
+ c = dict[k]
+ try:
+ c.unsign(secret)
+ except CookieError:
+ # downgrade to Cookie
+ dict[k] = Cookie.parse(Cookie.__str__(c))[k]
return dict
@@ -276,13 +281,18 @@
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=7xn0hcugmy.fsf%40ruckus.brouhaha.com
"""
- def parse(Class, secret, str):
+ def parse(Class, secret, s):
- dict = _parseCookie(str, Class)
+ dict = _parseCookie(s, Class)
for k in dict:
- dict[k].unmarshal(secret)
-
+ c = dict[k]
+ try:
+ c.unmarshal(secret)
+ except (CookieError, ValueError):
+ # downgrade to Cookie
+ dict[k] = Cookie.parse(Cookie.__str__(c))[k]
+
return dict
parse = classmethod(parse)
1.40 +27 -16 httpd-python/Doc/modpython4.tex
Index: modpython4.tex
===================================================================
RCS file: /home/cvs/httpd-python/Doc/modpython4.tex,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- modpython4.tex 24 Jul 2003 19:00:46 -0000 1.39
+++ modpython4.tex 24 Jul 2003 20:51:08 -0000 1.40
@@ -1575,16 +1575,27 @@
\begin{classdesc}{SignedCookie}{name, value, secret\optional{, attributes}}
- This is a subclass of \class{Cookie}.
+ This is a subclass of \class{Cookie}. This class creates cookies
+ whose name and value are automatically signed using HMAC (md5) with
+ a provided secret \var{secret}, which must be a non-empty string.
- This class creates cookies whose name and value are automatically
- signed using HMAC (md5) with a provided secret \var{secret}, which must be
- a non-empty string.
-
- \begin{methoddesc}[Cookie]{parse}{string}{secret}
+ \begin{methoddesc}[SignedCookie]{parse}{string, secret}
This method acts the same way as \class{Cookie.parse()}, but also
verifies that the cookie is correctly signed. If the signature
- cannot be verified, a \exception{CookieError} is raised.
+ cannot be verified, the object returned will be of class
+ \class{Cookie}.
+
+ \begin{notice}
+ Always check the type of the object returned by
+ \method{SignedCookie.parse()} is an instance of \class{Cookie}
+ (as oppsed to \class{SignedCookie}), the signature verification
+ failed:
+ \begin{verbatim}
+# assume spam is supposed to be a signed cookie
+if type(spam) is not Cookie.SignedCookie:
+ # do something that indicates cookie isn't signed correctly
+ \end{verbatim}
+ \end{notice}
\end{methoddesc}
\end{classdesc}
@@ -1647,7 +1658,7 @@
\end{verbatim}
-This example checks for incoming marshal cookie and displays it the
+This example checks for incoming marshal cookie and displays it to the
client. If no incoming cookie is present a new marshal cookie is set.
This example uses \samp{secret007} as the secret for HMAC signature.
@@ -1656,19 +1667,19 @@
def handler(req):
- try:
- cookies = Cookie.getCookie(req, Cookie.MarshalCookie, \
+ cookies = Cookie.getCookie(req, Cookie.MarshalCookie, \
'secret007')
- except Cookie.CookieError:
- req.write('Cookie parsing error!\n')
- return apache.OK
-
if cookies.has_key('spam'):
spamcookie = cookies['spam']
+
req.write('Great, a spam cookie was found: %s\n' \
% str(spamcookie))
- req.write('Here is what it looks like decoded: %s=%s\n'
- % (spamcookie.name, spamcookie.value))
+ if type(spamcookie) is Cookie.MarshalCookie:
+ req.write('Here is what it looks like decoded: %s=%s\n'
+ % (spamcookie.name, spamcookie.value))
+ else:
+ req.write('WARNING: The cookie found is not a \
+ MarshalCookie, it may have been tapered with!')
else: