fixed session_cookie_key leak

2016-03-21 17:25:16 -05:00
parent 6a569bf56e
commit 5cf835d856
4 changed files with 3 additions and 13 deletions
--- a/applications/examples/controllers/simple_examples.py
+++ b/applications/examples/controllers/simple_examples.py
@@ -35,12 +35,6 @@ def hello6():
    response.flash = 'Hello World in a flash!'
    return dict(message=T('Hello World'))

-
-def status():
-    """ page that shows internal status"""
-    return dict(toolbar=response.toolbar())
-
-
 def redirectme():
    """ redirects to /{{=request.application}}/{{=request.controller}}/hello3 """

--- a/applications/examples/views/default/examples.html
+++ b/applications/examples/views/default/examples.html
@@ -94,7 +94,6 @@ def status():
    return dict(toobar=response.toolbar())
    """.strip(),language='web2py',link=URL('global','vars'),_class='boxCode')}}
    <p>Here we are showing the request, session and response objects using the generic.html template.
-    <br/>Try it here: <a class="btn" href="/{{=request.application}}/simple_examples/status">status</a></p>

    <h3>Example {{=c}}{{c+=1}}</h3><b>In controller: simple_examples.py</b>
    {{=CODE("""
--- a/applications/examples/views/simple_examples/status.html
+++ b/applications/examples/views/simple_examples/status.html
@@ -1,3 +0,0 @@
-{{extend 'layout.html'}}
-
-{{=toolbar}}
--- a/gluon/globals.py
+++ b/gluon/globals.py
@@ -812,7 +812,7 @@ class Session(Storage):
        response.session_data_name = 'session_data_%s' % masterapp.lower()
        response.session_cookie_expires = cookie_expires
        response.session_client = str(request.client).replace(':', '.')
-        response.session_cookie_key = cookie_key
+        current._session_cookie_key = cookie_key
        response.session_cookie_compression_level = compression_level

        # check if there is a session_id in cookies
@@ -1065,7 +1065,7 @@ class Session(Storage):

        # if not cookie_key, but session_data_name in cookies
        # expire session_data_name from cookies
-        if not response.session_cookie_key:
+        if not current._session_cookie_key:
            if response.session_data_name in cookies:
                rcookies[response.session_data_name] = 'expired'
                rcookies[response.session_data_name]['path'] = '/'
@@ -1128,7 +1128,7 @@ class Session(Storage):
        name = response.session_data_name
        compression_level = response.session_cookie_compression_level
        value = secure_dumps(dict(self),
-                             response.session_cookie_key,
+                             current._session_cookie_key,
                             compression_level=compression_level)
        rcookies = response.cookies
        rcookies.pop(name, None)