[Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior
Simo Sorce
simo at redhat.com
Fri Dec 7 23:19:47 UTC 2012
On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote:
> On 12/07/2012 03:44 PM, Rob Crittenden wrote:
> > John Dennis wrote:
> >> Revised patch attached.
> >>
> >
> > Why catch exceptions from client_session_keyring_keyname() when it
> > doesn't raise any?
>
> It may not explicitly raise an exception but one can still be raised if
> either KEYRING_COOKIE_NAME or principal is invalid. It's not likely that
> KEYRING_COOKIE_NAME would be invalid but the principal might be due to
> logic failures earlier.
>
>
> > In store_session_cookie() shouldn't we log an error if a cookie can't be
> > parsed, not a debug?
>
> Good point. Actually there is another problem there, if None is returned
> we need to stop processing and return. I've fixed both.
>
> >
> > In apply_session_cookie() I think we should log Cookie.URLMismatch and
> > Exception at the error level instead of debug.
>
> Good point, changed that to an error message as well as the catch-all
> handler immediately below it.
>
>
> > My knowledge of cookies is rusty, but I don't understand this bit in
> > path_valid()
> >
> > + if not url_path or not url_path.startswith('/'):
> > + request_path = '/'
> > + elif url_path.count('/') <= 1:
> > + request_path = '/'
> > + elif url_path.endswith('/'):
> > + request_path = url_path[:-1]
> > + else:
> > + request_path = url_path
> >
> > If my url_path cis /ipa isn't this going to treat it as "/"? That seems
> > wrong.
>
> I agree, that's confusing, it confused me too, but that's exactly what's
> in the RFC (http://tools.ietf.org/html/rfc6265#page-16). I stared at
> that a long time myself with exactly the same concerns.
>
> I'd appreciate it you or someone else would look at the RFC because I
> wonder if I'm not reading it correctly. I tend to agree that check is wrong.
>
> I'll send a revised patch with the above mentioned fixes once someone
> else puts their eyeballs on the RFC, or maybe we should just remove the
> check for the time being.
I think that the algorithm fails to follow the RFC when you do:
elif url_path.endswith('/'):
request_path = url_path[:-1]
Point 4 of the RFC doesn't say the path needs to end with a / it says
you need to take everything before the last / wherever it is.
Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui
Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo
Basically these rules threat the last 'leaf' component as not part of
the path and are meant to remove it.
If I read it right instead your code fails the first example ie,
both /ipa/ui/foo and /ipa/ui/foo/ give out a path of /ipa/ui/foo
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list