Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

这里需要做 urllib.parse.unquote.不然登出会失败。 #950

Closed
houming818 opened this issue Mar 29, 2023 · 5 comments
Closed

这里需要做 urllib.parse.unquote.不然登出会失败。 #950

houming818 opened this issue Mar 29, 2023 · 5 comments
Assignees
@nannan00
Labels
Layer: login Login module related Type: bug Something isn't working
Milestone
Y2023M14

Comments

@houming818
Copy link
Contributor

houming818 commented Mar 29, 2023
edited
Loading

bk-user/src/login/bklogin/bkauth/utils.py

Lines 140 to 145 in be15183

"""
将登录票据设置为不合法
"""
bk_token = request.COOKIES.get(settings.BK_COOKIE_NAME, None)
if bk_token:
BkToken.objects.filter(token=bk_token).update(is_logout=True)

@houming818
Copy link
Contributor Author 

     """ 
     将登录票据设置为不合法 
     """ 
     bk_token = request.COOKIES.get(settings.BK_COOKIE_NAME, None) 
     if bk_token: 
         bk_token = urllib.parse.unquote(bk_token)
         BkToken.objects.filter(token=bk_token).update(is_logout=True)

@nannan00 nannan00 self-assigned this Apr 3, 2023
@nannan00 nannan00 added Type: bug Something isn't working Layer: login Login module related labels Apr 3, 2023
@nannan00 nannan00 added this to the Y2023M14 milestone Apr 3, 2023
@nannan00
Copy link
Collaborator

nannan00 commented Apr 3, 2023

已确认,该问题确实存在,但是提交的PR方案可能我们还需要讨论一下
方案1:加密上确保不存在可被转义的特殊字符
方案2:对bk_token从cookie获取后进行unquote

@nannan00
Copy link
Collaborator

nannan00 commented Apr 3, 2023

从目前django的源码来看,是有对cookie进行unquote的,还需要进一步排查
image

@nannan00
Copy link
Collaborator

nannan00 commented Apr 6, 2023

从目前django的源码来看,是有对cookie进行unquote的,还需要进一步排查 image

已确认,这里的cookie._unquote与urllib.parse.unquote并非相同作用,所以PR https://github.com/TencentBlueKing/bk-user/pull/951/files 是�OK的

@nannan00 nannan00 mentioned this issue Apr 6, 2023
Merged
nannan00 pushed a commit that referenced this issue Apr 6, 2023
@houming818
patch: 登录token未做unquote (#957)
0867848 
re: #950
@nannan00 nannan00 closed this as completed Apr 6, 2023
@nannan00 nannan00 mentioned this issue Apr 7, 2023
Merged
@houming818
Copy link
Contributor Author

@nannan00 这里是要讨论下,因为从Cookies里面拿数据是经常的行为,每个地方都unquote是不太方便。建议先这样处理,其他地方如果有问题了,再统一搞一个合适的方案。

yuri0528 pushed a commit to yuri0528/bk-user that referenced this issue May 8, 2023
@houming818 @yuri0528
patch: 登录token未做unquote (TencentBlueKing#957)
1252687 
re: TencentBlueKing#950
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nannan00 nannan00

Labels
Layer: login Login module related Type: bug Something isn't working
Projects
None yet
Milestone
Y2023M14
Development

No branches or pull requests
2 participants
@houming818 @nannan00