[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong Fri, 23 Oct 2009 14:00:45 -0700

Yuen Ho Wong <wyue...@gmail.com> added the comment:

Ok I wasn't sure what security hole you were referring to, now I understand 
better.


Here's a pseudo code solution:

if isinstance(who_userid, int):
     who_userid = "int(" + who_userid + ")"
elif isinstance(who_userid, float):
     who_userid = "float(" + who_userid + ")"
elif isinstance(who_userid, str):
     pass
else:
    raise ValueError

When you parse the cookie, just do eval(). When the type is a str, check the 
global charset var 
for an appropriate charset to decode to. Is this an accceptable solution?

__________________________________
Repoze Bugs <b...@bugs.repoze.org>
<http://bugs.repoze.org/issue101>
__________________________________
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Reply via email to