Commit 75b19aad authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.
parent 51aaed94
......@@ -110,11 +110,10 @@ def modifyRequest(self, req, resp):
cookie login is disabled for this request, raises
CookieCrumblerDisabled.
"""
if (req.__class__ is not HTTPRequest
or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
or req.environ.has_key('WEBDAV_SOURCE_PORT')):
raise CookieCrumblerDisabled
enabled = (req.__class__ is HTTPRequest
and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
and 'WEBDAV_SOURCE_PORT' not in req.environ)
if enabled:
req.post_traverse(balancer_cookie_hook, (self, req, resp))
# attempt may contain information about an earlier attempt to
......@@ -126,9 +125,8 @@ def modifyRequest(self, req, resp):
if req._auth:
# An auth header was provided and no cookie crumbler
# created it. The user must be using basic auth.
raise CookieCrumblerDisabled
if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
enabled = False
elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
# Attempt to log in and set cookies.
attempt = ATTEMPT_LOGIN
name = req[self.name_cookie]
......@@ -148,9 +146,6 @@ def modifyRequest(self, req, resp):
method = self.getCookieMethod( 'setAuthCookie'
, self.defaultSetAuthCookie )
method( resp, self.auth_cookie, quote( ac ) )
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
elif req.has_key(self.auth_cookie):
# Attempt to resume a session if the cookie is valid.
# Copy __ac to the auth header.
......@@ -170,6 +165,11 @@ def modifyRequest(self, req, resp):
if method is not None:
method(resp, self.auth_cookie, quote(ac))
self.delRequestVar(req, self.auth_cookie)
self.delRequestVar(req, self.name_cookie)
self.delRequestVar(req, self.pw_cookie)
if not enabled:
raise CookieCrumblerDisabled
req._cookie_auth = attempt
return attempt
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment