Пример #1
0
 def test_cookie_tampering_future_timestamp(self):
     handler = CookieTestRequestHandler()
     # this string base64-encodes to '12345678'
     handler.set_secure_cookie('foo', binascii.a2b_hex(b('d76df8e7aefc')))
     cookie = handler._cookies['foo']
     match = re.match(b(r'12345678\|([0-9]+)\|([0-9a-f]+)'), cookie)
     self.assertTrue(match)
     timestamp = match.group(1)
     sig = match.group(2)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"],
                           'foo', '12345678', timestamp),
         sig)
     # shifting digits from payload to timestamp doesn't alter signature
     # (this is not desirable behavior, just confirming that that's how it
     # works)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"],
                           'foo', '1234', b('5678') + timestamp),
         sig)
     # tamper with the cookie
     handler._cookies['foo'] = utf8('1234|5678%s|%s' % (
             to_basestring(timestamp), to_basestring(sig)))
     # it gets rejected
     self.assertTrue(handler.get_secure_cookie('foo') is None)
Пример #2
0
 def test_cookie_tampering_future_timestamp(self):
     handler = CookieTestRequestHandler()
     # this string base64-encodes to '12345678'
     handler.set_secure_cookie('foo', binascii.a2b_hex(b'd76df8e7aefc'))
     cookie = handler._cookies['foo']
     match = re.match(br'12345678\|([0-9]+)\|([0-9a-f]+)', cookie)
     self.assertTrue(match)
     timestamp = match.group(1)
     sig = match.group(2)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"],
                           'foo', '12345678', timestamp),
         sig)
     # shifting digits from payload to timestamp doesn't alter signature
     # (this is not desirable behavior, just confirming that that's how it
     # works)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"],
                           'foo', '1234', b'5678' + timestamp),
         sig)
     # tamper with the cookie
     handler._cookies['foo'] = utf8('1234|5678%s|%s' % (
         to_basestring(timestamp), to_basestring(sig)))
     # it gets rejected
     with ExpectLog(gen_log, "Cookie timestamp in future"):
         self.assertTrue(handler.get_secure_cookie('foo') is None)
Пример #3
0
 def test_cookie_tampering_future_timestamp(self):
     handler = CookieTestRequestHandler()
     # this string base64-encodes to '12345678'
     handler.set_secure_cookie("foo", binascii.a2b_hex(b("d76df8e7aefc")))
     cookie = handler._cookies["foo"]
     match = re.match(b(r"12345678\|([0-9]+)\|([0-9a-f]+)"), cookie)
     assert match
     timestamp = match.group(1)
     sig = match.group(2)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"], "foo", "12345678", timestamp), sig
     )
     # shifting digits from payload to timestamp doesn't alter signature
     # (this is not desirable behavior, just confirming that that's how it
     # works)
     self.assertEqual(
         _create_signature(handler.application.settings["cookie_secret"], "foo", "1234", b("5678") + timestamp), sig
     )
     # tamper with the cookie
     handler._cookies["foo"] = utf8("1234|5678%s|%s" % (timestamp, sig))
     # it gets rejected
     assert handler.get_secure_cookie("foo") is None