(MODPYTHON-191) Session class will no longer accept a normal cookie if a

grahamd · grahamd · commit 4af8dfe7bb5a · 2006-11-07T10:11:01.000Z
signed cookie was expected.
(MODPYTHON-200) Fixed problem whereby signed and marshalled cookies could
not be used at the same time. When expecting marshalled cookie, any signed,
but not marshalled cookies will be returned as normal cookies.
diff --git a/Doc/appendixc.tex b/Doc/appendixc.tex
@@ -450,6 +450,10 @@ \chapter{Changes from Version (3.2.10)\label{app-changes-from-3.2.10}}
     \item
       (\citetitle[http://issues.apache.org/jira/browse/MODPYTHON-189]{MODPYTHON-189})
       Fixed representation returned by calling \code{repr()} on a table object.
+    \item
+      (\citetitle[http://issues.apache.org/jira/browse/MODPYTHON-191]{MODPYTHON-191})
+      Session class will no longer accept a normal cookie if a signed cookie
+      was expected.
     \item
       (\citetitle[http://issues.apache.org/jira/browse/MODPYTHON-194]{MODPYTHON-194})
       Fixed potential memory leak due to not clearing the state of thread state
@@ -458,6 +462,11 @@ \chapter{Changes from Version (3.2.10)\label{app-changes-from-3.2.10}}
       (\citetitle[http://issues.apache.org/jira/browse/MODPYTHON-198]{MODPYTHON-198})
       Python 2.5 broke nested __auth__/__access__/__auth_realm__ in
       mod_python.publisher.
+    \item
+      (\citetitle[http://issues.apache.org/jira/browse/MODPYTHON-200]{MODPYTHON-200})
+      Fixed problem whereby signed and marshalled cookies could not be used
+      at the same time. When expecting marshalled cookie, any signed, but
+      not marshalled cookies will be returned as normal cookies.
   \end{itemize}
 
 
diff --git a/Doc/modpython4.tex b/Doc/modpython4.tex
@@ -2181,7 +2181,7 @@ \subsection{Classes\label{pyapi-cookie-classes}}
 
     \begin{notice}
       Always check the types of objects returned by
-      \method{SignedCookie.parse()}.If it is an instance of
+      \method{SignedCookie.parse()}. If it is an instance of
       \class{Cookie} (as opposed to \class{SignedCookie}), the
       signature verification has failed:
       \begin{verbatim}
@@ -2242,7 +2242,20 @@ \subsection{Functions\label{pyapi-cookie-func}}
   can be any number of keyword arguments which, will be passed to
   \method{parse()} (This is useful for \class{signedCookie} and
   \class{MarshalCookie} which require \code{secret} as an additional
-  argument to \method{parse}).
+  argument to \method{parse}). The set of cookies found is returned as
+  a dictionary.
+\end{funcdesc}
+
+\begin{funcdesc}{get_cookie}{req, name \optional{, Class, data}}
+  This is a convenience function for retrieving a single named cookie
+  from incoming headers. \var{req} is a mod_python \class{Request}
+  object. \var{name} is the name of the cookie. \var{Class} is a class
+  whose \method{parse()} method will be used to parse the cookies, it
+  defaults to \code{Cookie}. \var{Data} can be any number of keyword
+  arguments which, will be passed to \method{parse()} (This is useful for
+  \class{signedCookie} and \class{MarshalCookie} which require
+  \code{secret} as an additional argument to \method{parse}). The cookie
+  if found is returned, otherwise \code{None} is returned.
 \end{funcdesc}
 
 \subsection{Examples\label{pyapi-cookie-example}}
diff --git a/README b/README
@@ -4,7 +4,7 @@ This is the Mod_Python README file. It consists of the following parts:
 
 1. Getting Started
 2. Flex
-3. New in 3.2
+3. New in 3.3
 4. New in 3.0
 5. Migrating from Mod_Python 2.7.8
 6. OS Hints
@@ -29,7 +29,11 @@ If you can't read instructions:
 
 2. ./configure will generate a WARNING if it cannot find flex, or it 
 is the wrong version. Generally you can ignore this warning and still
-successfully compile mod_python.
+successfully compile mod_python as the timestamp of the src/psp_parser.c
+file will be newer than that for the src/psp_parser.l file. If for some
+reason it still tries to run flex to regenerate the src/psp_parser.c
+file, running 'touch src/psp_parser.c' to update the timestamp should
+stop this and it will use the provided file.
 
 The parser used by psp is written in C generated using flex. This
 requires a reentrant version of flex, which at this time is 2.5.31.
@@ -41,7 +45,7 @@ src/psp_parser.c file, you must get the correct flex version.
 You can specify the path the flex binary by using 
 ./configure --with-flex=/path/to/flex/binary.
 
-3. New in 3.2
+3. New in 3.3
    Please refer to doc-html/ for more information.
 
 4. New in 3.0
diff --git a/lib/python/mod_python/Cookie.py b/lib/python/mod_python/Cookie.py
@@ -1,3 +1,4 @@
+ # vim: set sw=4 expandtab :
  #
  # Copyright 2004 Apache Software Foundation 
  # 
@@ -107,14 +108,18 @@ class Cookie(object):
 
     __metaclass__ = metaCookie
 
-    def parse(Class, str):
+    DOWNGRADE = 0
+    IGNORE = 1
+    EXCEPTION = 3
+
+    def parse(Class, str, **kw):
         """
         Parse a Cookie or Set-Cookie header value, and return
         a dict of Cookies. Note: the string should NOT include the
         header name, only the value.
         """
 
-        dict = _parse_cookie(str, Class)
+        dict = _parse_cookie(str, Class, **kw)
         return dict
 
     parse = classmethod(parse)
@@ -173,18 +178,27 @@ class SignedCookie(Cookie):
     is still plainly visible as part of the cookie.
     """
 
-    def parse(Class, s, secret):
+    def parse(Class, s, secret, mismatch=Cookie.DOWNGRADE, **kw):
 
-        dict = _parse_cookie(s, Class)
+        dict = _parse_cookie(s, Class, **kw)
 
+        del_list = []
         for k in dict:
             c = dict[k]
             try:
                 c.unsign(secret)
             except CookieError:
-                # downgrade to Cookie
-                dict[k] = Cookie.parse(Cookie.__str__(c))[k]
-        
+                if mismatch == Cookie.EXCEPTION:
+                     raise
+                elif mismatch == Cookie.IGNORE:
+                     del_list.append(k)
+                else:
+                     # downgrade to Cookie
+                     dict[k] = Cookie.parse(Cookie.__str__(c))[k]
+
+        for k in del_list:
+            del dict[k]
+
         return dict
 
     parse = classmethod(parse)
@@ -244,17 +258,26 @@ class MarshalCookie(SignedCookie):
     http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=7xn0hcugmy.fsf%40ruckus.brouhaha.com
     """
 
-    def parse(Class, s, secret):
+    def parse(Class, s, secret, mismatch=Cookie.DOWNGRADE, **kw):
 
-        dict = _parse_cookie(s, Class)
+        dict = _parse_cookie(s, Class, **kw)
 
+        del_list = []
         for k in dict:
             c = dict[k]
             try:
                 c.unmarshal(secret)
-            except (CookieError, ValueError):
-                # downgrade to Cookie
-                dict[k] = Cookie.parse(Cookie.__str__(c))[k]
+            except CookieError:
+                if mismatch == Cookie.EXCEPTION:
+                     raise
+                elif mismatch == Cookie.IGNORE:
+                     del_list.append(k)
+                else:
+                     # downgrade to Cookie
+                     dict[k] = Cookie.parse(Cookie.__str__(c))[k]
+
+        for k in del_list:
+            del dict[k]
 
         return dict
 
@@ -279,8 +302,16 @@ def __str__(self):
     def unmarshal(self, secret):
 
         self.unsign(secret)
-        self.value = marshal.loads(base64.decodestring(self.value))
 
+        try:
+            data = base64.decodestring(self.value)
+        except:
+            raise CookieError, "Cannot base64 Decode Cookie: %s=%s" % (self.name, self.value)
+
+        try:
+            self.value = marshal.loads(data)
+        except (EOFError, ValueError, TypeError):
+            raise CookieError, "Cannot Unmarshal Cookie: %s=%s" % (self.name, self.value)
 
 
 # This is a simplified and in some places corrected
@@ -301,7 +332,7 @@ def unmarshal(self, secret):
     r"\s*;?"                      # probably ending in a semi-colon
     )
 
-def _parse_cookie(str, Class):
+def _parse_cookie(str, Class, names=None):
     # XXX problem is we should allow duplicate
     # strings
     result = {}
@@ -313,7 +344,7 @@ def _parse_cookie(str, Class):
 
         # We just ditch the cookies names which start with a dollar sign since
         # those are in fact RFC2965 cookies attributes. See bug [#MODPYTHON-3].
-        if key[0]!='$':
+        if key[0]!='$' and names is None or key in names:
             result[key] = Class(key, val)
 
     return result
@@ -351,3 +382,7 @@ def get_cookies(req, Class=Cookie, **kw):
 
     return Class.parse(cookies, **kw)
 
+def get_cookie(req, name, Class=Cookie, **kw):
+    cookies = get_cookies(req, Class, names=[name], **kw)
+    if cookies.has_key(name):
+        return cookies[name]
diff --git a/lib/python/mod_python/Session.py b/lib/python/mod_python/Session.py
@@ -1,3 +1,4 @@
+ # vim: set sw=4 expandtab :
  #
  # Copyright 2004 Apache Software Foundation 
  # 
@@ -141,27 +142,35 @@ def __init__(self, req, sid=None, secret=None, lock=1,
         if config.has_key("mod_python.session.cookie_name"):
             session_cookie_name = config.get("mod_python.session.cookie_name", COOKIE_NAME)
         else:
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             session_cookie_name = config.get("session_cookie_name", COOKIE_NAME)
 
         if not self._sid:
             # check to see if cookie exists
             if secret:  
-                cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie,
-                                             secret=self._secret)
+                cookie = Cookie.get_cookie(req, session_cookie_name,
+                                           Class=Cookie.SignedCookie,
+                                           secret=self._secret,
+                                           mismatch=Cookie.Cookie.IGNORE)
             else:
-                cookies = Cookie.get_cookies(req)
+                cookie = Cookie.get_cookie(req, session_cookie_name)
+
+            if cookie:
+                self._sid = cookie.value
 
-            if cookies.has_key(session_cookie_name):
-                self._sid = cookies[session_cookie_name].value
-        
         if self._sid:
-            # Validate the sid *before* locking the session
-            # _check_sid will raise an apache.SERVER_RETURN exception 
             if not _check_sid(self._sid):
-                self._req.log_error("mod_python.Session warning: The session id contains invalid characters, valid characters are only 0-9 and a-f",
-                        apache.APLOG_WARNING)
-                raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
+                if sid:
+                    # Supplied explicitly by user of the class,
+                    # raise an exception and make the user code
+                    # deal with it.
+                    raise ValueError("Invalid Session ID: sid=%s" % sid)
+                else:
+                    # Derived from the cookie sent by browser,
+                    # wipe it out so it gets replaced with a
+                    # correct value.
+                    self._sid = None
 
         self.init_lock()
 
@@ -194,7 +203,8 @@ def make_cookie(self):
         if config.has_key("mod_python.session.cookie_name"):
             session_cookie_name = config.get("mod_python.session.cookie_name", COOKIE_NAME)
         else:
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             session_cookie_name = config.get("session_cookie_name", COOKIE_NAME)
 
         if self._secret:
@@ -208,7 +218,8 @@ def make_cookie(self):
         if config.has_key("mod_python.session.application_path"):
             c.path = config["mod_python.session.application_path"]
         elif config.has_key("ApplicationPath"):
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             c.path = config["ApplicationPath"]
         else:
             # the path where *Handler directive was specified
@@ -342,14 +353,16 @@ def __init__(self, req, dbm=None, sid=0, secret=None, dbmtype=anydbm,
             if opts.has_key("mod_python.dbm_session.database_filename"):
                 dbm = opts["mod_python.dbm_session.database_filename"]
             elif opts.has_key("session_dbm"):
-                # For backwards compatability only.
+                # For backwards compatability with versions
+                # of mod_python prior to 3.3.
                 dbm = opts["session_dbm"]
             elif opts.has_key("mod_python.dbm_session.database_directory"):
                 dbm = os.path.join(opts.get('mod_python.dbm_session.database_directory', tempdir), 'mp_sess.dbm')
             elif opts.has_key("mod_python.session.database_directory"):
                 dbm = os.path.join(opts.get('mod_python.session.database_directory', tempdir), 'mp_sess.dbm')
             else:
-                # For backwards compatability only.
+                # For backwards compatability with versions
+                # of mod_python prior to 3.3.
                 dbm = os.path.join(opts.get('session_directory', tempdir), 'mp_sess.dbm')
 
         self._dbmfile = dbm
@@ -427,7 +440,8 @@ def __init__(self, req, sid=0, secret=None, timeout=0, lock=1,
             if opts.has_key('mod_python.file_session.enable_fast_cleanup'):
                 self._fast_cleanup = true_or_false(opts.get('mod_python.file_session.enable_fast_cleanup', DFT_FAST_CLEANUP))
             else:
-                # For backwards compatability only.
+                # For backwards compatability with versions
+                # of mod_python prior to 3.3.
                 self._fast_cleanup = true_or_false(opts.get('session_fast_cleanup', DFT_FAST_CLEANUP))
         else:
             self._fast_cleanup = fast_cleanup
@@ -436,29 +450,33 @@ def __init__(self, req, sid=0, secret=None, timeout=0, lock=1,
             if opts.has_key('mod_python.file_session.verify_session_timeout'):
                 self._verify_cleanup = true_or_false(opts.get('mod_python.file_session.verify_session_timeout', DFT_VERIFY_CLEANUP))
             else:
-                # For backwards compatability only.
+                # For backwards compatability with versions
+                # of mod_python prior to 3.3.
                 self._verify_cleanup = true_or_false(opts.get('session_verify_cleanup', DFT_VERIFY_CLEANUP))
         else:
             self._verify_cleanup = verify_cleanup
 
         if opts.has_key('mod_python.file_session.cleanup_grace_period'):
             self._grace_period = int(opts.get('mod_python.file_session.cleanup_grace_period', DFT_GRACE_PERIOD))
         else:
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             self._grace_period = int(opts.get('session_grace_period', DFT_GRACE_PERIOD))
 
         if opts.has_key('mod_python.file_session.cleanup_time_limit'):
             self._cleanup_time_limit = int(opts.get('mod_python.file_session.cleanup_time_limit',DFT_CLEANUP_TIME_LIMIT))
         else:
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             self._cleanup_time_limit = int(opts.get('session_cleanup_time_limit',DFT_CLEANUP_TIME_LIMIT))
 
         if opts.has_key('mod_python.file_session.database_directory'):
             self._sessdir = os.path.join(opts.get('mod_python.file_session.database_directory', tempdir), 'mp_sess')
         elif opts.has_key('mod_python.session.database_directory'):
             self._sessdir = os.path.join(opts.get('mod_python.session.database_directory', tempdir), 'mp_sess')
         else:
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             self._sessdir = os.path.join(opts.get('session_directory', tempdir), 'mp_sess')
 
         # FIXME
@@ -756,7 +774,8 @@ def Session(req, sid=0, secret=None, timeout=0, lock=1):
     if opts.has_key('mod_python.session.session_type'):
         sess_type = opts['mod_python.session.session_type']
     elif opts.has_key('session'):
-        # For backwards compatability only.
+        # For backwards compatability with versions
+        # of mod_python prior to 3.3.
         sess_type = opts['session']
     else:
         # no session class in config so get the default for the platform
diff --git a/lib/python/mod_python/__init__.py b/lib/python/mod_python/__init__.py
@@ -20,5 +20,5 @@
 __all__ = ["apache", "cgihandler", "psp",
            "publisher", "util", "python22"]
 
-version = "3.3.0-dev-20061105"
+version = "3.3.0-dev-20061107"
 
diff --git a/lib/python/mod_python/psp.py b/lib/python/mod_python/psp.py
@@ -134,7 +134,8 @@ def cache_get(self, filename, mtime):
         if opts.has_key("mod_python.psp.cache_database_filename"):
             self.dbmcache = opts["mod_python.psp.cache_database_filename"]
         elif opts.has_key("PSPDbmCache"):
-            # For backwards compatability only.
+            # For backwards compatability with versions
+            # of mod_python prior to 3.3.
             self.dbmcache = opts["PSPDbmCache"]
 
         if self.dbmcache:
diff --git a/src/include/mpversion.h b/src/include/mpversion.h
@@ -1,5 +1,5 @@
 #define MPV_MAJOR 3
 #define MPV_MINOR 3
 #define MPV_PATCH 0
-#define MPV_BUILD 20061105
-#define MPV_STRING "3.3.0-dev-20061105"
+#define MPV_BUILD 20061107
+#define MPV_STRING "3.3.0-dev-20061107"
diff --git a/test/test.py b/test/test.py
