r8-forks / webapp-improved

Automatically exported from code.google.com/p/webapp-improved
Other
0 stars 0 forks source link

sessions: unable to handle cookie in quotes #41

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Steps will reproduce the problem:
1. create a secure cookie - e.g. self.session['foo'] = 'bar'
2. send a request with the session cookie in double quotes.
3. check existence - e.g. if not 'foo' in self.session: fail!

What is the expected output? What do you see instead?
The quotes should be removed before checking the cookie value

What version of the product are you using? On what operating system?
google sdk 1.6.1

Please provide any additional information below.

Here is a workaround. In line 66 of securecookie.py change
from the following:

        parts = value.split('|')

to this:

        val = value if value[0] != '"' else value[1:-1]
        parts = val.split('|')

Original issue reported on code.google.com by j...@metologica.com on 21 Dec 2011 at 5:35

GoogleCodeExporter commented 9 years ago
A better fix would be to use Cookie._unquote from stdlib. 

unquoted_value = Cookie._unquote(value)
parts = val.split('|')

Original comment by schettino72@gmail.com on 25 Jan 2012 at 11:55

GoogleCodeExporter commented 9 years ago
Hi. Trying to understand this:

2. send a request with the session cookie in double quotes.

Could you please give a full example?

Original comment by rodrigo.moraes on 25 Jan 2012 at 2:15

GoogleCodeExporter commented 9 years ago
Ok, I understand it now.

The Python SDK 1.6.1 ships with WebOb 0.9. Latest versions of WebOb unquote 
cookies by default. Please use the latest version configuring it in app.yaml 
and let me know if the problem still occurs:

http://code.google.com/appengine/docs/python/python27/using27.html#Configuring_L
ibraries

You must have WebOb installed in your system for this to work.

Original comment by rodrigo.moraes on 25 Jan 2012 at 2:25

GoogleCodeExporter commented 9 years ago
I got this issue while writing unittests using Webtest 
(http://pypi.python.org/pypi/WebTest). Investigating this issue I found this: 
https://github.com/kennethreitz/requests/issues/286 . As far as I understood 
firefox will not quote the cookie as the standard recommends... So the issue 
only happened to me when I was using Webtest. 

It is easy to reproduce just call response.follow() (from 
http://webtest.pythonpaste.org/en/latest/index.html#the-response-object). I can 
give a try on writing a unittest later today if you wish...

Also I guess webapp2 is also wrong in that it nevers encode the cookie, but i 
guess all clients forgive that.

Original comment by schettino72@gmail.com on 25 Jan 2012 at 2:30

GoogleCodeExporter commented 9 years ago
ok. it works with latest webob. 
I stared http://code.google.com/p/googleappengine/issues/detail?id=2788 :)
thanks for quick reply

Original comment by schettino72@gmail.com on 25 Jan 2012 at 2:43

GoogleCodeExporter commented 9 years ago
Thanks Rodrio for spotting the library incompatibility.
This issue should be closed.

Original comment by j...@metologica.com on 25 Jan 2012 at 3:49

GoogleCodeExporter commented 9 years ago
Notice that latest WebOb is available in production in the Python 2.7 runtime 
(through app.yaml configuration), it just doesn't ship with the SDK.

I still want to take a look if something can be done for people with old WebOb.

Original comment by rodrigo.moraes on 25 Jan 2012 at 11:31

GoogleCodeExporter commented 9 years ago
Thanks for the input, guys. I'll close the issue and recommend people to use 
updated version. WebOb 0.9 is now 4 years old after all.

Original comment by rodrigo.moraes on 31 Jan 2012 at 6:34

GoogleCodeExporter commented 9 years ago
fair enough. I am actually monkey-patching webapp2 because using a different 
webob on gae dev is a pain... some might find this useful:

# monkeypatch webapp2 to fix
# http://code.google.com/p/webapp-improved/issues/detail?id=41
# the problem was actually fixed on webob>0.9, keep this until appengine
# upgrades webob.
from webapp2_extras import securecookie
original_deserialize = securecookie.SecureCookieSerializer.deserialize
import Cookie
def patched_deserialize(self, name, value, max_age=None):
    unquoted_value = Cookie._unquote(value)
    return original_deserialize(self, name, unquoted_value, max_age)
securecookie.SecureCookieSerializer.deserialize = patched_deserialize
# end monkey-patch webapp2

Original comment by schettino72@gmail.com on 31 Jan 2012 at 6:49

GoogleCodeExporter commented 9 years ago
This issue was closed by revision c19adda08036.

Original comment by rodrigo.moraes on 31 Jan 2012 at 7:13

GoogleCodeExporter commented 9 years ago
Next release will include your patch. This release should be part of the next 
SDK.

Original comment by rodrigo.moraes on 31 Jan 2012 at 7:14