Skip to content

Commit 413f1f2

Browse files
lwlw
committed
Don't parse cookies using pickle, due to security implications
1 parent 42c8044 commit 413f1f2

2 files changed

Lines changed: 8 additions & 9 deletions

File tree

cms/server/contest/handlers/base.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,8 @@
3434
from __future__ import print_function
3535
from __future__ import unicode_literals
3636

37+
import json
3738
import logging
38-
import pickle
3939
import socket
4040
import struct
4141
import traceback
@@ -224,7 +224,7 @@ def _get_current_user_from_cookie(self):
224224

225225
# Parse cookie.
226226
try:
227-
cookie = pickle.loads(self.get_secure_cookie("login"))
227+
cookie = json.loads(self.get_secure_cookie("login"))
228228
username = cookie[0]
229229
password = cookie[1]
230230
last_update = make_datetime(cookie[2])
@@ -257,9 +257,9 @@ def _get_current_user_from_cookie(self):
257257

258258
if self.refresh_cookie:
259259
self.set_secure_cookie("login",
260-
pickle.dumps((username,
261-
password,
262-
make_timestamp())),
260+
json.dumps([username,
261+
password,
262+
make_timestamp()]),
263263
expires_days=None)
264264

265265
return participation

cms/server/contest/handlers/main.py

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@
3434

3535
import json
3636
import logging
37-
import pickle
3837

3938
import tornado.web
4039

@@ -117,9 +116,9 @@ def post(self):
117116
logger.info("User logged in: user=%s remote_ip=%s.",
118117
filtered_user, self.request.remote_ip)
119118
self.set_secure_cookie("login",
120-
pickle.dumps((user.username,
121-
correct_password,
122-
make_timestamp())),
119+
json.dumps([user.username,
120+
correct_password,
121+
make_timestamp()]),
123122
expires_days=None)
124123
self.redirect(next_page)
125124

0 commit comments

Comments
 (0)