Issue 43 in gaeutilities: Session poisoning when using datastore writer
codesite...@google.com
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 43 by stanislaw.skonieczny: Session poisoning when using
datastore writer
http://code.google.com/p/gaeutilities/issues/detail?id=43
Session poisoning is quite easy when using gaeutilities 1.3 (the same
problem is with 1.4) with standard configuration.
Following steps should reproduce the problem:
1. Create new appengine project, install gaeutilities v. 1.3, use standard
configuration (datastore writer).
2. Copy attached file "bug.py" to your project. It simply shows the session
content. Also add handler for this file in app.yaml:
- url: /bug
script: bug.py
4. Visit "/bug". Your session is empty, but cookie
named "gaeutilities_session_data" has been created.
3. Edit this cookie on the client side, changing it's value to: "{\"key\":
7}" (with all of double quotes).
4. Visit "/bug" again. Your session is now {'key': 7}.
Expected output of this script should be:
Session is: {}
Key is: ''
Instead, it is:
Session is: {"key" = "7"}
Key is: 7
I am using version 1.3, but the same issue is with 1.4. Session poisoning
work both on the development server and appengine server.
After some investigation of the code, I have found the following in
sessions.py, lines 548-559:
try:
self.cookie_vals = \
simplejson.loads(self.cookie["%s_data" %
(self.cookie_name)].value)
# sync self.cache and self.cookie_vals which will make those
# values available for all gets immediately.
for k in self.cookie_vals:
self.cache[k] = self.cookie_vals[k]
# sync the input cookie with the output cookie
self.output_cookie["%s_data" % (self.cookie_name)] = \
self.cookie["%s_data" % (self.cookie_name)]
except:
self.cookie_vals = {}
Commenting it out and adding one line instead:
self.cookie_vals = {}
solves the problem, but I do not know, if it breaks some other
functionality (cookie writer?).
Attachments:
bug.py 615 bytes