From 95659db00a7008fed72a771b506ea8854b1a90b0 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 29 Oct 2020 11:36:26 -0400 Subject: [PATCH] Stop trying to use generic cookie parsing Trying to do so while guarding against errors and sanitizing input was more code and slower than targeting the one possible cookie we might care about. So the code is simpler and the performance is better, and the effect of stray cookies are mitigated. --- confluent_server/confluent/httpapi.py | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index c4a52a28..91440e37 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -65,16 +65,6 @@ opmap = { } -class RobustCookie(Cookie.SimpleCookie): - # this is very bad form, but BaseCookie has a terrible flaw - def _BaseCookie__set(self, K, rval, cval): - try: - super(RobustCookie, self)._BaseCookie__set(K, rval, cval) - except Cookie.CookieError: - # empty value if SimpleCookie rejects - dict.__setitem__(self, K, Cookie.Morsel()) - - def group_creation_resources(): yield confluent.messages.Attributes( kv={'name': None}, desc="Name of the group").html() + '
' @@ -284,12 +274,10 @@ def _authorize_request(env, operation): if element.startswith('/sessions/current/'): element = None if 'HTTP_COOKIE' in env: - #attempt to use the cookie. If it matches - cc = RobustCookie() - sanitized = '; '.join([x.strip().replace(' ', '_') for x in env['HTTP_COOKIE'].split(';')]) - cc.load(sanitized) - if 'confluentsessionid' in cc: - sessionid = cc['confluentsessionid'].value + cidx = (env['HTTP_COOKIE']).find('confluentsessionid=') + if cidx >= 0: + sessionid = env['HTTP_COOKIE'][cidx+19:cidx+51] + sessid = sessionid sessid = sessionid if sessionid in httpsessions: if _csrf_valid(env, httpsessions[sessionid]):