From a9eab615675ec456f5c639a11d8c8f1702ef6ea0 Mon Sep 17 00:00:00 2001 From: Jarrod Johnon Date: Wed, 21 Jan 2015 16:20:55 -0500 Subject: [PATCH] Handle broken cookies from other sites in domain If a web application in a wider domain sets a cookie that python doesn't like, a CookieError would be raised to ruin the whole request. Address by subclassing SimpleCookie to catch the cookie error and set an empty Morsel rather than fail out. This allows the errant cookie to be ignored while still being able to check for the cookie that we actually care about. --- confluent_server/confluent/httpapi.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index da5eeb6b..9df4c037 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -48,6 +48,14 @@ opmap = { 'DELETE': 'delete', } +class RobustCookie(Cookie.SimpleCookie): + # this is very bad form, but BaseCookie has a terrible flaw + def _BaseCookie__set(selfself, K, rval, cval): + try: + super(RobustCookie, self)._BaseCookie__set(K, rval, cval) + except Cookie.CookieError: + # empty value if SimpleCookie rejects + dict.__setitem__(self, K, Cookie.Morsel()) def group_creation_resources(): yield confluent.messages.Attributes( @@ -154,7 +162,7 @@ def _authorize_request(env, operation): cookie = Cookie.SimpleCookie() if 'HTTP_COOKIE' in env: #attempt to use the cookie. If it matches - cc = Cookie.SimpleCookie() + cc = RobustCookie() cc.load(env['HTTP_COOKIE']) if 'confluentsessionid' in cc: sessionid = cc['confluentsessionid'].value