Commit cec1ac58 authored by Sebastien Robin's avatar Sebastien Robin

do not use pickle only with cookies


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@865 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent e602c577
......@@ -727,14 +727,13 @@ class SelectionTool( UniqueObject, SimpleItem ):
LOG('selectionHasChanged, return...',0,'False')
return False
security.declareProtected(ERP5Permissions.View, 'getPickleAndSignature')
def getPickleAndSignature(self,**kw):
security.declareProtected(ERP5Permissions.View, 'getPickle')
def getPickle(self,**kw):
"""
we give many keywords and we will get the corresponding
pickle string and signature
"""
LOG('getPickleAndSignature kw',0,kw)
cookie_password = self._getCookiePassword()
LOG('getPickle kw',0,kw)
# XXX Remove DateTime, This is really bad, only use for zope 2.6
# XXX This has to be removed as quickly as possible
for k,v in kw.items():
......@@ -748,10 +747,35 @@ class SelectionTool( UniqueObject, SimpleItem ):
pickle_string = msg.get_payload()
pickle_string = pickle_string.replace('\n','@@@')
LOG('getPickleAndSignature pickle',0,pickle_string)
return pickle_string
security.declareProtected(ERP5Permissions.View, 'getPickleAndSignature')
def getPickleAndSignature(self,**kw):
"""
we give many keywords and we will get the corresponding
pickle string and signature
"""
pickle_string = self.getPickle(**kw)
LOG('getPickleAndSignature pickle',0,pickle_string)
signature = hmac.new(cookie_password,pickle_string).hexdigest()
LOG('getPickleAndSignature signature',0,signature)
return (pickle_string,signature)
security.declareProtected(ERP5Permissions.View, 'getObjectFromPickle')
def getObjectFromPickle(self,pickle_string):
"""
we give a pickle string and a signature
"""
object = None
pickle_string = pickle_string.replace('@@@','\n')
LOG('getObjectFromPickleAndSignature pickle_string',0,pickle_string)
msg = MIMEBase('application','octet-stream')
Encoders.encode_base64(msg)
msg.set_payload(pickle_string)
pickle_string = msg.get_payload(decode=1)
object = pickle.loads(pickle_string)
return object
security.declareProtected(ERP5Permissions.View, 'getObjectFromPickleAndSignature')
def getObjectFromPickleAndSignature(self,pickle_string,signature):
"""
......@@ -760,17 +784,11 @@ class SelectionTool( UniqueObject, SimpleItem ):
cookie_password = self._getCookiePassword()
object = None
new_signature = hmac.new(cookie_password,pickle_string).hexdigest()
pickle_string = pickle_string.replace('@@@','\n')
LOG('getObjectFromPickleAndSignature pickle_string',0,pickle_string)
LOG('getObjectFromPickleAndSignature signature',0,signature)
LOG('getObjectFromPickleAndSignature signature',0,new_signature)
if new_signature==signature:
LOG('getObjectFromPickleAndSignature ',0,'XXX same signature XXX')
msg = MIMEBase('application','octet-stream')
Encoders.encode_base64(msg)
msg.set_payload(pickle_string)
pickle_string = msg.get_payload(decode=1)
object = pickle.loads(pickle_string)
object = self.getObjectFromPickle(pickle_string)
return object
security.declarePrivate('_getCookiePassword')
......@@ -815,4 +833,5 @@ class SelectionTool( UniqueObject, SimpleItem ):
InitializeClass( SelectionTool )
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment