From: William Tisäter Date: Mon, 7 Jul 2014 21:29:44 +0000 (+0200) Subject: Remove length requirement from v1 XSRF tokens X-Git-Tag: v4.0.0b3~2^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22e8614fdd045a1d2ac264c9917814ae4852170b;p=thirdparty%2Ftornado.git Remove length requirement from v1 XSRF tokens --- diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py index c475520b2..2f595af67 100644 --- a/tornado/test/web_test.py +++ b/tornado/test/web_test.py @@ -1954,6 +1954,20 @@ class XSRFTest(SimpleHandlerTestCase): body=urllib_parse.urlencode(dict(_xsrf=self.xsrf_token))) self.assertEqual(response.code, 403) + def test_xsrf_success_short_token(self): + with ExpectLog(gen_log, ".*XSRF cookie does not match POST"): + response = self.fetch( + "/", method="POST", + body=urllib_parse.urlencode(dict(_xsrf='deadbeef'))) + self.assertEqual(response.code, 403) + + def test_xsrf_success_non_hex_token(self): + with ExpectLog(gen_log, ".*XSRF cookie is not a hexadecimal"): + response = self.fetch( + "/", method="POST", + body=urllib_parse.urlencode(dict(_xsrf='xoxo'))) + self.assertEqual(response.code, 400) + def test_xsrf_fail_cookie_no_body(self): with ExpectLog(gen_log, ".*'_xsrf' argument missing"): response = self.fetch( diff --git a/tornado/web.py b/tornado/web.py index 9fe2f77b9..7147c17e6 100644 --- a/tornado/web.py +++ b/tornado/web.py @@ -1140,14 +1140,15 @@ class RequestHandler(object): else: # Treat unknown versions as not present instead of failing. return None, None, None - elif len(cookie) == 32: + else: version = 1 - token = binascii.a2b_hex(utf8(cookie)) + try: + token = binascii.a2b_hex(utf8(cookie)) + except TypeError: + raise HTTPError(400, "XSRF cookie is not a hexadecimal") # We don't have a usable timestamp in older versions. timestamp = int(time.time()) return (version, token, timestamp) - else: - return None, None, None def check_xsrf_cookie(self): """Verifies that the ``_xsrf`` cookie matches the ``_xsrf`` argument.