From f9b83198354004daca9e580cd882044422c3bc1f Mon Sep 17 00:00:00 2001 From: Jake Moshenko Date: Fri, 21 Nov 2014 10:28:50 -0500 Subject: [PATCH] Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type. --- auth/auth.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/auth/auth.py b/auth/auth.py index 66ba4b921..d7dce7568 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -1,6 +1,7 @@ import logging from functools import wraps +from uuid import UUID from datetime import datetime from flask import request, session from flask.ext.principal import identity_changed, Identity @@ -23,6 +24,12 @@ logger = logging.getLogger(__name__) def _load_user_from_cookie(): if not current_user.is_anonymous(): + try: + # Attempt to parse the user uuid to make sure the cookie has the right value type + UUID(current_user.get_id()) + except ValueError: + return None + logger.debug('Loading user from cookie: %s', current_user.get_id()) set_authenticated_user_deferred(current_user.get_id()) loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})