EN-2988, cookie v3 risk v2 #11
Conversation
…s logs, added to debuger INFO, added px_constants class
perimeterx-python-wsgi.iml
Outdated
| @@ -0,0 +1,27 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
There was a problem hiding this comment.
I don't think this file is necessary in the repository
| if not px_cookies: | ||
| return None | ||
|
|
||
| prefix = px_cookies[0] |
There was a problem hiding this comment.
Is it guaranteed that if you have both v1 and v3, the v3 will be the one you get here?
There was a problem hiding this comment.
yes, tested it
There was a problem hiding this comment.
That's not what I'm asking. The fact that it once ran and worked, does not mean it's guaranteed to work.
What is the mechanism that enforces it? I didn't see any sorting of the px_cookies list.
| return False | ||
| data = base64.b64decode(parts[2]) | ||
| dk = self.pbkdf2_hmac('sha256', self.config['cookie_key'], salt, iterations, dklen=48) | ||
| key = dk[:32] |
There was a problem hiding this comment.
While you're refactoring, it might be a good idea to move some of these magic numbers to the new px_constants file
There was a problem hiding this comment.
which of these magics you refer to?
|
What about supporting JS challenge? |
|
@yaronpx |
|
@yaronpx please re-review |
perimeterx/px_cookie.py
Outdated
| def build_px_cookie(ctx, config): | ||
| config["logger"].debug("PxCookie[build_px_cookie]") | ||
| px_cookies = ctx['px_cookies'].keys() | ||
| px_cookies.sort(reverse=True) |
There was a problem hiding this comment.
Probably better to sort after you check the list exists.
Actually it's best to sort right before you store it in px_context
No description provided.