Pylons · mmerickel · Nov 13, 2015 · Oct 28, 2015 · Oct 29, 2015 · Oct 29, 2015
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -232,6 +232,11 @@ Bug Fixes
   shell a little more straightfoward.
   See https://github.com/Pylons/pyramid/pull/1883
 
+- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession``
+  and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters
+  ``timeout``, ``reissue_time``, ``max_age`` that expect an integer value.
+  See https://github.com/Pylons/pyramid/pull/2050
+
 - Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in
   horrible ways. See https://github.com/Pylons/pyramid/pull/2118
 

diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
@@ -254,3 +254,5 @@ Contributors
 - Jesse Dhillon, 2015/10/07
 
 - Amos Latteier, 2015/10/22
+
+- Rami Chousein, 2015/10/28
diff --git a/pyramid/authentication.py b/pyramid/authentication.py
@@ -855,9 +855,9 @@ def __init__(self, secret, cookie_name='auth_tkt', secure=False,
         self.cookie_name = cookie_name
         self.secure = secure
         self.include_ip = include_ip
-        self.timeout = timeout
-        self.reissue_time = reissue_time
-        self.max_age = max_age
+        self.timeout = timeout if timeout is None else int(timeout)
+        self.reissue_time = reissue_time if reissue_time is None else int(reissue_time)
+        self.max_age = max_age if max_age is None else int(max_age)
         self.wild_domain = wild_domain
         self.parent_domain = parent_domain
         self.domain = domain
@@ -977,8 +977,7 @@ def remember(self, request, userid, max_age=None, tokens=()):
           Tokens are available in the returned identity when an auth_tkt is
           found in the request and unpacked.  Default: ``()``.
         """
-        if max_age is None:
-            max_age = self.max_age
+        max_age = self.max_age if max_age is None else int(max_age)
 
         environ = request.environ
 

diff --git a/pyramid/session.py b/pyramid/session.py
@@ -238,14 +238,14 @@ class CookieSession(dict):
 
         # configuration parameters
         _cookie_name = cookie_name
-        _cookie_max_age = max_age
+        _cookie_max_age = max_age if max_age is None else int(max_age)
         _cookie_path = path
         _cookie_domain = domain
         _cookie_secure = secure
         _cookie_httponly = httponly
         _cookie_on_exception = set_on_exception
-        _timeout = timeout
-        _reissue_time = reissue_time
+        _timeout = timeout if timeout is None else int(timeout)
+        _reissue_time = reissue_time if reissue_time is None else int(reissue_time)
 
         # dirty flag
         _dirty = False

diff --git a/pyramid/tests/test_authentication.py b/pyramid/tests/test_authentication.py
@@ -600,6 +600,15 @@ def _parseCookie(self, cookie):
         cookies.load(cookie)
         return cookies.get('auth_tkt')
 
+    def test_init_cookie_str_reissue_invalid(self):
+        self.assertRaises(ValueError, self._makeOne, 'secret', reissue_time='invalid value')
+
+    def test_init_cookie_str_timeout_invalid(self):
+        self.assertRaises(ValueError, self._makeOne, 'secret', timeout='invalid value')
+
+    def test_init_cookie_str_max_age_invalid(self):
+        self.assertRaises(ValueError, self._makeOne, 'secret', max_age='invalid value')
+
     def test_identify_nocookie(self):
         helper = self._makeOne('secret')
         request = self._makeRequest()
@@ -752,11 +761,24 @@ def test_identify_bad_cookie(self):
         result = helper.identify(request)
         self.assertEqual(result, None)
 
-    def test_identify_cookie_timed_out(self):
+    def test_identify_cookie_timeout(self):
         helper = self._makeOne('secret', timeout=1)
-        request = self._makeRequest({'HTTP_COOKIE':'auth_tkt=bogus'})
+        self.assertEqual(helper.timeout, 1)
+
+    def test_identify_cookie_str_timeout(self):
+        helper = self._makeOne('secret', timeout='1')
+        self.assertEqual(helper.timeout, 1)
+
+    def test_identify_cookie_timeout_aged(self):
+        import time
+        helper = self._makeOne('secret', timeout=10)
+        now = time.time()
+        helper.auth_tkt.timestamp = now - 1
+        helper.now = now + 10
+        helper.auth_tkt.tokens = (text_('a'), )
+        request = self._makeRequest('bogus')
         result = helper.identify(request)
-        self.assertEqual(result, None)
+        self.assertFalse(result)
 
     def test_identify_cookie_reissue(self):
         import time
@@ -774,6 +796,22 @@ def test_identify_cookie_reissue(self):
         self.assertEqual(len(response.headerlist), 3)
         self.assertEqual(response.headerlist[0][0], 'Set-Cookie')
 
+    def test_identify_cookie_str_reissue(self):
+        import time
+        helper = self._makeOne('secret', timeout=10, reissue_time='0')
+        now = time.time()
+        helper.auth_tkt.timestamp = now
+        helper.now = now + 1
+        helper.auth_tkt.tokens = (text_('a'), )
+        request = self._makeRequest('bogus')
+        result = helper.identify(request)
+        self.assertTrue(result)
+        self.assertEqual(len(request.callbacks), 1)
+        response = DummyResponse()
+        request.callbacks[0](request, response)
+        self.assertEqual(len(response.headerlist), 3)
+        self.assertEqual(response.headerlist[0][0], 'Set-Cookie')
+
     def test_identify_cookie_reissue_already_reissued_this_request(self):
         import time
         helper = self._makeOne('secret', timeout=10, reissue_time=0)
@@ -1058,6 +1096,16 @@ def test_remember_insane_userid(self):
         self.assertTrue('userid' in value.value)
 
     def test_remember_max_age(self):
+        helper = self._makeOne('secret')
+        request = self._makeRequest()
+        result = helper.remember(request, 'userid', max_age=500)
+        values = self._parseHeaders(result)
+        self.assertEqual(len(result), 3)
+
+        self.assertEqual(values[0]['max-age'], '500')
+        self.assertTrue(values[0]['expires'])
+
+    def test_remember_str_max_age(self):
         helper = self._makeOne('secret')
         request = self._makeRequest()
         result = helper.remember(request, 'userid', max_age='500')
@@ -1067,6 +1115,11 @@ def test_remember_max_age(self):
         self.assertEqual(values[0]['max-age'], '500')
         self.assertTrue(values[0]['expires'])
 
+    def test_remember_str_max_age_invalid(self):
+        helper = self._makeOne('secret')
+        request = self._makeRequest()
+        self.assertRaises(ValueError, helper.remember, request, 'userid', max_age='invalid value')
+
     def test_remember_tokens(self):
         helper = self._makeOne('secret')
         request = self._makeRequest()

diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py
@@ -62,6 +62,18 @@ def test_timeout_never(self):
         session = self._makeOne(request, timeout=None)
         self.assertEqual(dict(session), {'state': 1})
 
+    def test_timeout_str(self):
+        import time
+        request = testing.DummyRequest()
+        cookieval = self._serialize((time.time() - 5, 0, {'state': 1}))
+        request.cookies['session'] = cookieval
+        session = self._makeOne(request, timeout='1')
+        self.assertEqual(dict(session), {})
+
+    def test_timeout_invalid(self):
+        request = testing.DummyRequest()
+        self.assertRaises(ValueError, self._makeOne, request, timeout='Invalid value')
+
     def test_changed(self):
         request = testing.DummyRequest()
         session = self._makeOne(request)
@@ -297,6 +309,23 @@ def test_reissue_never(self):
         self.assertEqual(session['state'], 1)
         self.assertFalse(session._dirty)
 
+    def test_reissue_str_triggered(self):
+        import time
+        request = testing.DummyRequest()
+        cookieval = self._serialize((time.time() - 2, 0, {'state': 1}))
+        request.cookies['session'] = cookieval
+        session = self._makeOne(request, reissue_time='0')
+        self.assertEqual(session['state'], 1)
+        self.assertTrue(session._dirty)
+
+    def test_reissue_invalid(self):
+        request = testing.DummyRequest()
+        self.assertRaises(ValueError, self._makeOne, request, reissue_time='invalid value')
+
+    def test_cookie_max_age_invalid(self):
+        request = testing.DummyRequest()
+        self.assertRaises(ValueError, self._makeOne, request, max_age='invalid value')
+
 class TestSignedCookieSession(SharedCookieSessionTests, unittest.TestCase):
     def _makeOne(self, request, **kw):
         from pyramid.session import SignedCookieSessionFactory
@@ -331,6 +360,23 @@ def test_reissue_never(self):
         self.assertEqual(session['state'], 1)
         self.assertFalse(session._dirty)
 
+    def test_reissue_str_triggered(self):
+        import time
+        request = testing.DummyRequest()
+        cookieval = self._serialize((time.time() - 2, 0, {'state': 1}))
+        request.cookies['session'] = cookieval
+        session = self._makeOne(request, reissue_time='0')
+        self.assertEqual(session['state'], 1)
+        self.assertTrue(session._dirty)
+
+    def test_reissue_invalid(self):
+        request = testing.DummyRequest()
+        self.assertRaises(ValueError, self._makeOne, request, reissue_time='invalid value')
+
+    def test_cookie_max_age_invalid(self):
+        request = testing.DummyRequest()
+        self.assertRaises(ValueError, self._makeOne, request, max_age='invalid value')
+
     def test_custom_salt(self):
         import time
         request = testing.DummyRequest()
Original file line number	Diff line number	Diff line change
Expand Up		@@ -254,3 +254,5 @@ Contributors
		- Jesse Dhillon, 2015/10/07

		- Amos Latteier, 2015/10/22

		- Rami Chousein, 2015/10/28