[AdminTL#83] authentication: replace eval to json when transform data…

… cookie - eval can execute arbitrary code and the user can modify the cookie - remove cookie management from handlers.py when try to detect loggued user
mathben · Mar 18, 2018 · 7a47f7c · 7a47f7c
1 parent 0339251
commit 7a47f7c
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/src/web/base_handler.py b/src/web/base_handler.py
@@ -3,6 +3,7 @@
 
 import tornado.web
 import sys
+import json
 
 
 class BaseHandler(tornado.web.RequestHandler):
@@ -35,17 +36,25 @@ def get_current_user(self):
         user_cookie = self.get_secure_cookie("user")
         if not user_cookie:
             return
+
         # trim private data
-        user_id = eval(user_cookie).get("user_id")
-        return self._db.get_user(id_type="user", user_id=user_id)
+        data = json.loads(user_cookie)
+        if type(data) is dict:
+            user_id = data.get("user_id")
+            return self._db.get_user(id_type="user", user_id=user_id)
+        else:
+            print("Error type on cookie %s %s" % (data, self.request.remote_ip), file=sys.stderr)
 
     def give_cookie(self, user_id, twitter_access_token=None, facebook_access_token=None, google_access_token=None):
         if user_id:
-            data = str({"user_id": user_id,
-                        "twitter_access_token": twitter_access_token,
-                        "facebook_access_token": facebook_access_token,
-                        "google_access_token": google_access_token})
-            self.set_secure_cookie("user", data)
+            data = {
+                "user_id": user_id,
+                "twitter_access_token": twitter_access_token,
+                "facebook_access_token": facebook_access_token,
+                "google_access_token": google_access_token
+            }
+            serialize_data = json.dumps(data)
+            self.set_secure_cookie("user", serialize_data)
             self.redirect("/")
         else:
             print("User doesn't have an id.", file=sys.stderr)
diff --git a/src/web/handlers.py b/src/web/handlers.py
@@ -72,7 +72,7 @@ def get(self):
 class LoginHandler(base_handler.BaseHandler):
     @tornado.web.asynchronous
     def get(self):
-        if self.get_secure_cookie("user"):
+        if self.get_current_user():
             self.redirect("/")
             return
 
@@ -83,7 +83,7 @@ def post(self):
         if self._global_arg["disable_login"]:
             self.redirect("/login?invalid=disable_login")
 
-        if self.get_secure_cookie("user"):
+        if self.get_current_user():
             print("Need to logout before login or sign up from %s" % self.request.remote_ip, file=sys.stderr)
             # Bad request
             self.set_status(400)