#1130: logging crashes when URL contains unicode symbols and user is logged in
(mod_python system)
------------------------+---------------------------------------------------
Reporter: dado1945 | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: __unclassified__
Component: TurboGears | Version: 1.0.8
Severity: minor | Resolution:
Keywords: |
------------------------+---------------------------------------------------
Comment (by kikidonk):
And while i'm at it, now that I know unicode user_name is supported, there
will be a bug here:
http://trac.turbogears.org/browser/tags/1.0b1/turbogears/identity/visitor.py#L116
Reproduce easily using the steps I described above, but instead of opening
the url in your browser:
{{{
curl -u 'ß:foo' 'http://localhost:8080/éé?id=éé'
}}}
This will make the code go through 'identity_from_http_auth', which will
get the Authorization header (cherrypy returns this as a byte-string) then
base64 decode the stuff.
In the end you end up calling line 118 validate_identity with a byte-
encoded username.
This means that this same bytestring will be passed as is to sqlalchemy,
which won't be able to compare the username in the db (stored as unicode
string) the the given bytestring username, and it generates a warning:
{{{
/usr/lib/python2.5/site-
packages/SQLAlchemy-0.4.8-py2.5.egg/sqlalchemy/engine/default.py:241:
SAWarning: Unicode type received non-unicode bind param value '\xc3\x9f'
}}}
Hopefully the db engine will have some good fallbacks allowing the query
to run correctly, but this is not something we can rely on.
Possible fix: decode the username just before calling validate_identity
using utf-8 (fallback to latin1, as I don't know if the encoding of http
headers is specified anywhere)
--
Ticket URL: <http://trac.turbogears.org/ticket/1130#comment:14>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
