New issue 43 by stanislaw.skonieczny: Session poisoning when using  
datastore writer
http://code.google.com/p/gaeutilities/issues/detail?id=43

Session poisoning is quite easy when using gaeutilities 1.3 (the same  
problem is with 1.4) with standard configuration.

Following steps should reproduce the problem:

1. Create new appengine project, install gaeutilities v. 1.3, use standard  
configuration (datastore writer).
2. Copy attached file "bug.py" to your project. It simply shows the session  
content. Also add handler for this file in app.yaml:
- url: /bug
   script: bug.py
4. Visit "/bug". Your session is empty, but cookie  
named "gaeutilities_session_data" has been created.
3. Edit this cookie on the client side, changing it's value to: "{\"key\":  
7}" (with all of double quotes).
4. Visit "/bug" again. Your session is now {'key': 7}.

Expected output of this script should be:
Session is: {}
Key is: ''

Instead, it is:
Session is: {"key" = "7"}
Key is: 7

I am using version 1.3, but the same issue is with 1.4. Session poisoning  
work both on the development server and appengine server.

After some investigation of the code, I have found the following in  
sessions.py, lines 548-559:

         try:
             self.cookie_vals = \
                 simplejson.loads(self.cookie["%s_data" %  
(self.cookie_name)].value)
                 # sync self.cache and self.cookie_vals which will make those
                 # values available for all gets immediately.
             for k in self.cookie_vals:
                 self.cache[k] = self.cookie_vals[k]
                 # sync the input cookie with the output cookie
                 self.output_cookie["%s_data" % (self.cookie_name)] = \
                     self.cookie["%s_data" % (self.cookie_name)]
         except:
             self.cookie_vals = {}

Commenting it out and adding one line instead:
         self.cookie_vals = {}
solves the problem, but I do not know, if it breaks some other  
functionality (cookie writer?).

Attachments:
        bug.py  615 bytes