[Python-modules-commits] r30379 - in packages/python-openid/trunk/debian (3 files)
dottedmag at users.alioth.debian.org
dottedmag at users.alioth.debian.org
Sun Aug 31 16:25:00 UTC 2014
Date: Sunday, August 31, 2014 @ 16:24:59
Author: dottedmag
Revision: 30379
Fix crash in sqlite storage with long salts (Closes: #704698)
Added:
packages/python-openid/trunk/debian/patches/
packages/python-openid/trunk/debian/patches/do-no-crash-long-salts.patch
packages/python-openid/trunk/debian/patches/series
Added: packages/python-openid/trunk/debian/patches/do-no-crash-long-salts.patch
===================================================================
--- packages/python-openid/trunk/debian/patches/do-no-crash-long-salts.patch (rev 0)
+++ packages/python-openid/trunk/debian/patches/do-no-crash-long-salts.patch 2014-08-31 16:24:59 UTC (rev 30379)
@@ -0,0 +1,66 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+
+The OpenID 2.0 specification indicates that the response_nonce as a
+whole can be up to 255 characters, and must be prefixed by an ISO-8601
+timestamp in UTC:
+
+https://openid.net/specs/openid-authentication-2_0.html#positive_assertions
+
+even assuming the a very long timestamp, this suggests that the latter
+part of the nonce could be over 200 characters long.
+
+The current table definitions in sqlstore.py all assume that the nonce
+should be 40 characters. This causes a crash when used with existing
+OpenID providers (e.g. the drupal openid_provider module generates
+nonces with a 64-byte salt).
+
+Note: this patch doesn't address in-place upgrades of existing
+python-openid servers that use an sqlstore. The right thing to do is
+something like (in PostgreSQL, e.g.):
+
+ ALTER TABLE %(nonces) ALTER COLUMN salt TYPE VARCHAR(255);
+
+I don't see any database versioning or upgrade mechanisms, so it's not
+clear how to apply this change dynamically (or to detect that it needs
+to be applied).
+
+Some sqlstore backends (sqlite?) may not be able to do an in-place
+type change of a column. Those backends may need to drop the nonces
+table and recreate it.
+---
+ openid/store/sqlstore.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/openid/store/sqlstore.py b/openid/store/sqlstore.py
+index 58c4337..632644c 100644
+--- a/openid/store/sqlstore.py
++++ b/openid/store/sqlstore.py
+@@ -297,7 +297,7 @@ class SQLiteStore(SQLStore):
+ CREATE TABLE %(nonces)s (
+ server_url VARCHAR,
+ timestamp INTEGER,
+- salt CHAR(40),
++ salt VARCHAR(255),
+ UNIQUE(server_url, timestamp, salt)
+ );
+ """
+@@ -376,7 +376,7 @@ class MySQLStore(SQLStore):
+ CREATE TABLE %(nonces)s (
+ server_url BLOB NOT NULL,
+ timestamp INTEGER NOT NULL,
+- salt CHAR(40) NOT NULL,
++ salt VARCHAR(255) NOT NULL,
+ PRIMARY KEY (server_url(255), timestamp, salt)
+ )
+ ENGINE=InnoDB;
+@@ -447,7 +447,7 @@ class PostgreSQLStore(SQLStore):
+ CREATE TABLE %(nonces)s (
+ server_url VARCHAR(2047) NOT NULL,
+ timestamp INTEGER NOT NULL,
+- salt CHAR(40) NOT NULL,
++ salt VARCHAR(255) NOT NULL,
+ PRIMARY KEY (server_url, timestamp, salt)
+ );
+ """
+--
+1.7.10.4
Added: packages/python-openid/trunk/debian/patches/series
===================================================================
--- packages/python-openid/trunk/debian/patches/series (rev 0)
+++ packages/python-openid/trunk/debian/patches/series 2014-08-31 16:24:59 UTC (rev 30379)
@@ -0,0 +1 @@
+do-no-crash-long-salts.patch
More information about the Python-modules-commits
mailing list