Skip to content

Rework OpenID service cookie handling #521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jonasbardino merged 4 commits into from
Apr 21, 2026
Merged

Rework OpenID service cookie handling #521

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3884f63
Rework openid service cookie handling to address a couple of potentia…
jonasbardino Apr 17, 2026
0b5fa0c
Avoid manual cookie mangling and rely on SimpleCookie instead. Add extra
jonasbardino Apr 17, 2026
4a206b1
Allow @ in retry_url as we may end up there with `/openid/id/EMAIL` .
jonasbardino Apr 17, 2026
0250779
Fix typo that somehow made its way into PR but not test :-s
jonasbardino Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 27 additions & 3 deletions mig/server/grid_openid.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
Expand Down Expand Up @@ -116,7 +116,7 @@
from mig.shared.tlsserver import hardened_ssl_context
from mig.shared.url import urlparse, urlencode, check_local_site_url, \
parse_qsl
from mig.shared.useradm import get_openid_user_dn, check_password_scramble, \

Check warning on line 119 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

line too long (81 > 80 characters)
check_hash
from mig.shared.userdb import default_db_path
from mig.shared.validstring import possible_user_id
Expand All @@ -130,12 +130,12 @@
cert_field_map.update({'role': 'ROLE', 'timezone': 'TZ', 'nickname': 'NICK',
'fullname': 'CN', 'o': 'O', 'ou': 'OU'})
cert_field_names = list(cert_field_map)
cert_field_values = list(cert_field_map.values())

Check failure on line 133 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused variable 'cert_field_values' (60% confidence)
cert_field_aliases = {}

# NOTE: response may contain password on the form
# (<Symbol Bare namespace>, 'password'): 'S3cr3tP4ssw0rd'
pw_pattern = "\(<Symbol Bare namespace>, 'password'\): '(.+)'"

Check warning on line 138 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

invalid escape sequence '\)'

Check warning on line 138 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

invalid escape sequence '\('
pw_regexp = re.compile(pw_pattern)


Expand All @@ -158,7 +158,7 @@
def valid_cert_fields(arg):
"""Make sure only valid cert field names are allowed"""
valid_job_id(arg, extra_chars=',')
if [i for i in arg.split(',') if not i in cert_field_names]:

Check warning on line 161 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

test for membership should be 'not in'
invalid_argument(arg)


Expand Down Expand Up @@ -303,7 +303,7 @@

# Add our own SReg fields to list of valid fields from sreg 1.1 spec
for (key, val) in cert_field_map.items():
if not key in sreg.data_fields:

Check warning on line 306 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

test for membership should be 'not in'
sreg.data_fields[key] = key.replace('_', ' ').title()
# print "DEBUG: sreg fields: %s" % sreg.data_fields
for name in cert_field_names:
Expand Down Expand Up @@ -397,7 +397,14 @@
cookies = self.headers.get('Cookie')
cookie = http.cookies.SimpleCookie(cookies)
cookie_dict = dict((k, v.value) for k, v in cookie.items())
retry_url = cookie_dict.get('retry_url', '')
retry_url_enc = cookie_dict.get('retry_url_enc', '')
logger.debug("found retry_url_enc: %s" % retry_url_enc)
if retry_url_enc:
# NOTE: b64decode takes str and returns bytes
retry_url = force_native_str(base64.b64decode(retry_url_enc))
else:
retry_url = ''
logger.debug("decoded retry_url: %s" % retry_url)
if retry_url and retry_url.startswith("http"):
raise InputException("invalid retry_url: %s" % retry_url)
elif retry_url:
Expand All @@ -411,15 +418,33 @@

return retry_url

def __format_retry_url_for_cookie(self):
"""Format retry_url to fit in cookie"""
if self.retry_url is None:
retry_url = ''
else:
retry_url = self.retry_url
logger.debug("encoding retry_url: %s" % retry_url)
try:
valid_url(retry_url)
except InputException as exc:
retry_url = ''
logger.error("found invalid retry_url: %s" % exc)

# NOTE: b64encode takes bytes and returns bytes
enc = force_native_str(base64.b64encode(force_utf8(retry_url)))
logger.debug("encoded retry_url: %s" % enc)
return 'retry_url_enc=%s;secure;httponly' % enc

def clearUser(self):
"""Reset all saved user variables"""
self.user = None
self.user_dn = None

Check failure on line 442 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused attribute 'user_dn' (60% confidence)
self.user_dn_dir = None

Check failure on line 443 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused attribute 'user_dn_dir' (60% confidence)
self.password = None
self.login_expire = None

def do_GET(self):

Check failure on line 447 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused method 'do_GET' (60% confidence)
"""Handle all HTTP GET requests"""
# Make sure key is always available for exception handler
key = 'UNSET'
Expand All @@ -442,7 +467,7 @@
# Resolve retry url, strip password and err

retry_query = {key: val for (key, val) in self.query.items()
if not key in ['password', 'err']}

Check warning on line 470 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

test for membership should be 'not in'
self.retry_url = "%s?%s" \
% (self.parsed_uri[2], urlencode(retry_query))

Expand Down Expand Up @@ -507,7 +532,7 @@
</p>""" % (configuration.support_email, error_ref)
self.showErrorPage(err_msg, error_code=500)

def do_POST(self):

Check failure on line 535 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused method 'do_POST' (60% confidence)
"""Handle all HTTP POST requests"""
try:
# NOTE: force native string even if socketserver provides bytes
Expand Down Expand Up @@ -634,7 +659,7 @@
# Old IE 8 does not send contents of submit buttons thus only the
# fields login_as and password are set with the allow requests. We
# manually add a yes here if so to avoid the else case.
if not 'yes' in query and not 'no' in query:

Check warning on line 662 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

test for membership should be 'not in'
query['yes'] = 'yes'

if 'yes' in query:
Expand Down Expand Up @@ -721,7 +746,7 @@
logger.warning("handleAllow rejected login %s" % identity)
# logger.debug("full query: %s" % self.query)
# logger.debug("full headers: %s" % self.headers)
fail_user, fail_pw = self.user, self.password

Check failure on line 749 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused variable 'fail_user' (60% confidence)

Check failure on line 749 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused variable 'fail_pw' (60% confidence)
self.clearUser()
# Login failed - return to refering page to let user try again
retry_url = self.__retry_url_from_cookie()
Expand Down Expand Up @@ -852,7 +877,7 @@
self.addSRegResponse(request, response)
return response

def rejected(self, request, identifier=None):

Check failure on line 880 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused method 'rejected' (60% confidence)
"""Reject helper"""
response = request.answer(False, identity=identifier)
return response
Expand Down Expand Up @@ -941,7 +966,7 @@
allow_legacy):
logger.info("Accepted password hash login for %s from %s" %
(username, addr))
self.user_dn = distinguished_name

Check failure on line 969 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

unused attribute 'user_dn' (60% confidence)
self.user_dn_dir = client_id_dir(distinguished_name)
self.login_expire = int(time.time() + self.session_ttl)
return True
Expand Down Expand Up @@ -1268,7 +1293,7 @@
</fieldset>
</form>
<p>
<a href="%(sid_url)s/cgi-sid/reqpwreset.py?show=migoid">Forgot your password?

Check warning on line 1296 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

line too long (89 > 80 characters)
</a>
</p>
</div>
Expand Down Expand Up @@ -1304,7 +1329,7 @@
<input type="checkbox" id="remember" name="remember" value="yes"
/><label for="remember">Remember this
decision</label><br />
Password: <input type="password" name="password" autofocus /><br />

Check warning on line 1332 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

line too long (81 > 80 characters)
<input type="submit" name="yes" value="yes" />
<input type="submit" name="no" value="no" />
</form>
Expand Down Expand Up @@ -1473,7 +1498,7 @@

<p>The URL for this server is
<a href=%s><span class="verbatim">%s</span></a>.</p>
''' % (user_message, quoteattr(self.server.base_url), self.server.base_url))

Check warning on line 1501 in mig/server/grid_openid.py

View workflow job for this annotation

GitHub Actions / Style check python and annotate 

line too long (84 > 80 characters)

def showLoginPage(self, success_to, fail_to, query):
"""Login page provider"""
Expand Down Expand Up @@ -1578,8 +1603,7 @@

self.send_response(response_code)
self.writeUserHeader()
self.send_header('Set-Cookie', 'retry_url=%s;secure;httponly'
% self.retry_url)
self.send_header('Set-Cookie', self.__format_retry_url_for_cookie())

Check warning

Code scanning / CodeQL

Construction of a cookie using user-supplied input Medium

Cookie is constructed from a
user-supplied input
Loading
.

Check warning

Code scanning / CodeQL

HTTP Response Splitting Medium

This HTTP header is constructed from a
user-provided value
Loading
.
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
self.send_header('Content-type', 'text/html')
self.end_headers()
page_template = openid_page_template(configuration, head_extras)
Expand Down
Loading