[Python-modules-team] Bug#765469: python3-tornado: get_secure_cookie get incorrect value by setting set_secure_cookie

Sebastian Ramacher sramacher at debian.org
Sat Nov 15 12:38:13 UTC 2014 

Control: severity -1 normal

On 2014-10-15 14:41:06, Yavuz Selim Komur wrote:
> Package: python3-tornado
> Version: 3.2.2-1
> Severity: critical
> Justification: breaks unrelated software
> 
> Dear Maintainer,
> 
> class abc(tornado.web.RequestHandler):
>     def get(self):
>         (stat, user) = self.check_remember()
>         if stat:
>            do_action()
>         else:
>            self.clear_cookie('remember')
>            self.render('remember-post.html')
> 
>     def post(self):
>         username = self.get_body_argument('username'):
>         if self.get_body_argument('remember'):
>            val = json.dumps({'username': username, 'time': time.time()})
>            self.set_secure_cookie('remember', value=val, expires_days=7)
> 
>     def check_remember(self):
>         try:
>             remember_cookie = self.get_secure_cookie('remember', max_age_days=7)
>         except ValueError:
>             print('try get_cookie')
>             return False, ''
> 
>         if remember_cookie is None:
>             return False, ''
> 
>         try:
>             remember = json.loads(remember_cookie.decode())
>         except ValueError:
>             print('try json')
>             return False, ''
> 
>         ret = (False, '')
>         if 'username' in remember and 'time' in remember:
>             if time.time() - remember['time'] > 7 * 24 * 60 * 60:
>                 self.clear_cookie('remember')
>                 ret = (False, '')
>             else:
>                 username = remember['username']
>                 val = json.dumps({'username': username, 'time': time.time()})
>                 self.set_secure_cookie('remember', value=val, expires_days=7)
>                 ret = (True, username)
>         return ret
> 
> 
> Always get an Exception ValueError in json.loads  print try json and return

Looks like one needs to care of encoding / decoding the value properly.
The following example just works fine:

import tornado
import tornado.web
import tornado.ioloop
import json

value = { "foo": "bar" }

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        if not self.get_secure_cookie("mycookie2"):
            self.set_secure_cookie("mycookie2",
                                   json.dumps(value).encode('utf-8'))
            self.write("Your cookie was not set yet!")
        else:
            data = self.get_secure_cookie("mycookie2")
            self.write("Your cookie was set!\n" + str(json.loads(data.decode('utf-8'))))

application = tornado.web.Application([
    (r"/", MainHandler),
], cookie_secret="bla")

application.listen(8888)
tornado.ioloop.IOLoop.instance().start()


Reducing the severity since a workaround exists and it's still unclear
which unrelated software would be broken by this issue.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20141115/a758bf24/attachment.sig>

More information about the Python-modules-team mailing list