Merge pull request #29 from zopefoundation/jens_fix_28

- Fix CSRF defense incompatibility with some session implementations …

CHANGES.rst

@@ -4,7 +4,7 @@ Change Log
 2.0b3 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Fix CSRF defense incompatibility with some session implementations
 
 
 2.0b2 (2018-10-16)

Products/PluggableAuthService/tests/test_utils.py

@@ -130,6 +130,18 @@ def test_w_token_in_request(self):
         token = self._callFUT(request)
         self.assertEqual(token, 'deadbeef')
 
+    def test_session_fails_truth_test(self):
+        # Some session implementations may not be recognized as
+        # valid sessions because when empty they fail a simple truth test.
+        # Using a dict here as an example.
+        request = _makeRequestWSession()
+        request.SESSION = {}
+        self._callFUT(request)
+
+        # After the call, the returned token must also be in the session
+        # if getCSRFToken has recognized our session as such.
+        self.assertIn('_csrft_', request.SESSION)
+
 
 class Test_checkCSRFToken(unittest.TestCase):
 

Products/PluggableAuthService/utils.py

@@ -198,7 +198,7 @@ def createKeywords(**kw):
 
 def getCSRFToken(request):
     session = getattr(request, 'SESSION', None)
-    if session:
+    if session is not None:
         token = session.get('_csrft_', None)
         if token is None:
             token = session['_csrft_'] = binascii.hexlify(os.urandom(20))