Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Squash ValueError from SignedSerializer in CookieProfile #126
This is a show-stopper bug for Pyramid 1.5 because the new session class and authtkt use CookieProfile.
Right now without this change CookieProfile will raise an exception if the serializer failed to deserialize the data (such as missing signature, invalid signature or bad data), this is not caught anywhere in Pyramid (nor should it) when get_value() is used. This means that if an attacker changes the cookie value they can cause an exception to occur that the user may not be expecting.
This would require implementors to either try/except get_value() or to set up a ValueError exception handler so that their web app doesn't return a 500 error to the user.
This patch simply squashes all of the possible exceptions, this fixes the issue and is a much saner solution.