Commit cec1ac58 authored by Sebastien Robin's avatar Sebastien Robin

do not use pickle only with cookies


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@865 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent e602c577
...@@ -727,14 +727,13 @@ class SelectionTool( UniqueObject, SimpleItem ): ...@@ -727,14 +727,13 @@ class SelectionTool( UniqueObject, SimpleItem ):
LOG('selectionHasChanged, return...',0,'False') LOG('selectionHasChanged, return...',0,'False')
return False return False
security.declareProtected(ERP5Permissions.View, 'getPickleAndSignature') security.declareProtected(ERP5Permissions.View, 'getPickle')
def getPickleAndSignature(self,**kw): def getPickle(self,**kw):
""" """
we give many keywords and we will get the corresponding we give many keywords and we will get the corresponding
pickle string and signature pickle string and signature
""" """
LOG('getPickleAndSignature kw',0,kw) LOG('getPickle kw',0,kw)
cookie_password = self._getCookiePassword()
# XXX Remove DateTime, This is really bad, only use for zope 2.6 # XXX Remove DateTime, This is really bad, only use for zope 2.6
# XXX This has to be removed as quickly as possible # XXX This has to be removed as quickly as possible
for k,v in kw.items(): for k,v in kw.items():
...@@ -748,10 +747,35 @@ class SelectionTool( UniqueObject, SimpleItem ): ...@@ -748,10 +747,35 @@ class SelectionTool( UniqueObject, SimpleItem ):
pickle_string = msg.get_payload() pickle_string = msg.get_payload()
pickle_string = pickle_string.replace('\n','@@@') pickle_string = pickle_string.replace('\n','@@@')
LOG('getPickleAndSignature pickle',0,pickle_string) LOG('getPickleAndSignature pickle',0,pickle_string)
return pickle_string
security.declareProtected(ERP5Permissions.View, 'getPickleAndSignature')
def getPickleAndSignature(self,**kw):
"""
we give many keywords and we will get the corresponding
pickle string and signature
"""
pickle_string = self.getPickle(**kw)
LOG('getPickleAndSignature pickle',0,pickle_string)
signature = hmac.new(cookie_password,pickle_string).hexdigest() signature = hmac.new(cookie_password,pickle_string).hexdigest()
LOG('getPickleAndSignature signature',0,signature) LOG('getPickleAndSignature signature',0,signature)
return (pickle_string,signature) return (pickle_string,signature)
security.declareProtected(ERP5Permissions.View, 'getObjectFromPickle')
def getObjectFromPickle(self,pickle_string):
"""
we give a pickle string and a signature
"""
object = None
pickle_string = pickle_string.replace('@@@','\n')
LOG('getObjectFromPickleAndSignature pickle_string',0,pickle_string)
msg = MIMEBase('application','octet-stream')
Encoders.encode_base64(msg)
msg.set_payload(pickle_string)
pickle_string = msg.get_payload(decode=1)
object = pickle.loads(pickle_string)
return object
security.declareProtected(ERP5Permissions.View, 'getObjectFromPickleAndSignature') security.declareProtected(ERP5Permissions.View, 'getObjectFromPickleAndSignature')
def getObjectFromPickleAndSignature(self,pickle_string,signature): def getObjectFromPickleAndSignature(self,pickle_string,signature):
""" """
...@@ -760,17 +784,11 @@ class SelectionTool( UniqueObject, SimpleItem ): ...@@ -760,17 +784,11 @@ class SelectionTool( UniqueObject, SimpleItem ):
cookie_password = self._getCookiePassword() cookie_password = self._getCookiePassword()
object = None object = None
new_signature = hmac.new(cookie_password,pickle_string).hexdigest() new_signature = hmac.new(cookie_password,pickle_string).hexdigest()
pickle_string = pickle_string.replace('@@@','\n')
LOG('getObjectFromPickleAndSignature pickle_string',0,pickle_string) LOG('getObjectFromPickleAndSignature pickle_string',0,pickle_string)
LOG('getObjectFromPickleAndSignature signature',0,signature) LOG('getObjectFromPickleAndSignature signature',0,signature)
LOG('getObjectFromPickleAndSignature signature',0,new_signature) LOG('getObjectFromPickleAndSignature signature',0,new_signature)
if new_signature==signature: if new_signature==signature:
LOG('getObjectFromPickleAndSignature ',0,'XXX same signature XXX') object = self.getObjectFromPickle(pickle_string)
msg = MIMEBase('application','octet-stream')
Encoders.encode_base64(msg)
msg.set_payload(pickle_string)
pickle_string = msg.get_payload(decode=1)
object = pickle.loads(pickle_string)
return object return object
security.declarePrivate('_getCookiePassword') security.declarePrivate('_getCookiePassword')
...@@ -815,4 +833,5 @@ class SelectionTool( UniqueObject, SimpleItem ): ...@@ -815,4 +833,5 @@ class SelectionTool( UniqueObject, SimpleItem ):
InitializeClass( SelectionTool ) InitializeClass( SelectionTool )
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment