[Repoze-dev] [issue100] Configurable character set support for repoze.who and repoze.what

Yuen Ho Wong added the comment: I'm not entirely sure why this is not "actionable on any realistic level", and what you mean by lower layers. Perhaps you can explain further or point me to a previous discussion if this has been talked about before? -- status: resol

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong added the comment: P.S. I think this solution solves the uncertainty of possibly clashing with the mod_auth_tkt use of the userdata field, however small this (non) issue maybe? __ Repoze Bugs <http://bugs.repoze.org/issue

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong added the comment: Yes the charset is irrelevant here. Decoding shouldn't be done here anyway. I think I have to reiterate the problem as accepting unicode strings because it breaks conformance with the WSGI spec. There never should have been unicode strings in the envir

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong added the comment: Ok I wasn't sure what security hole you were referring to, now I understand better. Here's a pseudo code solution: if isinstance(who_userid, int): who_userid = "int(" + who_userid + ")" elif isinstance(who_userid, fl

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong added the comment: I think you are mixing 3 problems into 1. I think AuthTktCookiePlugin should be simply a plugin that parses, sets and deletes auth_tkt cookies. Security, which I assume you are talking about XSS, is not a responsibility of this plugin, the application is

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

Yuen Ho Wong added the comment: Ok I agree it's not important to try to emulate mod_auth_tkt, which I think is a totally dead project anyway. But I have to take issue with the way unicode decoding is dealt with in this plugin. First of all, you are not even suppose to smuggle and un

[Repoze-dev] [issue100] Configurable character set support for repoze.who and repoze.what

Yuen Ho Wong added the comment: Well I think the WSGI 1.x spec has made a mistake of mandating all strings in environ to be byte strings while not defining a global environment variable to give middlewares a hint of how to decode the byte strings. This is a recognized problem that is

[Repoze-dev] [issue101] AuthTktCookie should not try to decode userid based on value types

New submission from Yuen Ho Wong : This is a minor bug remotely related to issue 100. According to the WSGI spec, all the strings in the environ should be byte strings. However, if some IIdentifier plugin returns an unicode login name for identity dict, AuthTktCookie will automatically

[Repoze-dev] [issue100] Configurable character set support for repoze.who and repoze.what

New submission from Yuen Ho Wong : It seems that from the design to the implementation of repoze.who and repoze.what, including its plugins, have completely failed to support holistically any charset other then Latin-1. As of now, there is not an option global to repoze.who, and subsequently