[Python-modules-team] Bug#765469: python3-tornado: get_secure_cookie get incorrect value by setting set_secure_cookie
Yavuz Selim Komur
komur at bilkent.edu.tr
Wed Oct 15 11:41:06 UTC 2014
Package: python3-tornado
Version: 3.2.2-1
Severity: critical
Justification: breaks unrelated software
Dear Maintainer,
class abc(tornado.web.RequestHandler):
def get(self):
(stat, user) = self.check_remember()
if stat:
do_action()
else:
self.clear_cookie('remember')
self.render('remember-post.html')
def post(self):
username = self.get_body_argument('username'):
if self.get_body_argument('remember'):
val = json.dumps({'username': username, 'time': time.time()})
self.set_secure_cookie('remember', value=val, expires_days=7)
def check_remember(self):
try:
remember_cookie = self.get_secure_cookie('remember', max_age_days=7)
except ValueError:
print('try get_cookie')
return False, ''
if remember_cookie is None:
return False, ''
try:
remember = json.loads(remember_cookie.decode())
except ValueError:
print('try json')
return False, ''
ret = (False, '')
if 'username' in remember and 'time' in remember:
if time.time() - remember['time'] > 7 * 24 * 60 * 60:
self.clear_cookie('remember')
ret = (False, '')
else:
username = remember['username']
val = json.dumps({'username': username, 'time': time.time()})
self.set_secure_cookie('remember', value=val, expires_days=7)
ret = (True, username)
return ret
Always get an Exception ValueError in json.loads print try json and return
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python3-tornado depends on:
ii ca-certificates 20140927
ii python3 3.4.2-1
python3-tornado recommends no packages.
python3-tornado suggests no packages.
-- no debconf information
More information about the Python-modules-team
mailing list