Skip to content

Module plone.session.tktauth, line 247, in splitTicket #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zopyx opened this issue Oct 9, 2022 · 10 comments · May be fixed by #62
Open

Module plone.session.tktauth, line 247, in splitTicket #33

zopyx opened this issue Oct 9, 2022 · 10 comments · May be fixed by #62
Labels
01 type: bug
Milestone
Plone 6.0

Comments

@zopyx
Copy link
Member

zopyx commented Oct 9, 2022
edited
Loading

Plone 6.0.0b3, plone.session 4.0.0b2

I receive this error for each page load on a fresh Plone site with content added through collective.exportimport:

2022-10-10 12:45:29,366 ERROR   [Zope.SiteErrorLog:35][waitress-0] ValueError: http://dev2.zopyx.de:43080/eteaching/++webresource++6e394ff2-5e80-5880-9df7-ed8e59129465/acl_users/session/refresh
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 167, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 376, in publish_module
  Module ZPublisher.WSGIPublisher, line 271, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 68, in call_object
  Module plone.session.plugins.session, line 432, in refresh
  Module plone.session.plugins.session, line 403, in _refreshSession
  Module plone.session.plugins.session, line 231, in _validateTicket
  Module plone.session.tktauth, line 246, in splitTicket
ValueError

ticket = b'61646d696e:61646d696e'
encoding = None
@zopyx zopyx added this to the Plone 6.0 milestone Oct 9, 2022
@gforcada
Copy link
Member

gforcada commented Oct 9, 2022

That line is trying to convert the ticket to a number, there is a colon on the ticket you posted, so no wonder it breaks, why there is a colon though? 🤔

@zopyx
Copy link
Member Author

zopyx commented Oct 9, 2022

No idea...I doubt that is coming from out policy file...I do not even know what tkauth is supposed to do 😇

@mauritsvanrees
Copy link
Member

Can you post the full traceback please? It does not include an error.

@zopyx
Copy link
Member Author

zopyx commented Oct 10, 2022

Can you post the full traceback please? It does not include an error.

I updated the original traceback

@gforcada
Copy link
Member

I see that @ale-rt removed six before 4.0.0b2 was released. File history and the specific commit.

Would you happen to have time to test if it happens with 4.0.0b1 ? maybe on that six removal is the problem, given that it raises a ValueError and your input seems to be bytes ?

All of this is wild guessing at 5:40 at night, so take it with a bit of🧂

@ale-rt
Copy link
Member

ale-rt commented Nov 30, 2022

The ticket is simply too short... it should be 32 chars (which is a checksum) + 8 chars (a timestamp in hex) + whatever.
No idea why you ticket is so short and in the form $16_digit_hex:$16_digit_hex

@gogobd
Copy link

gogobd commented Feb 10, 2025

We get the same ValueError.

@petschki
Copy link
Member

We have the same ValueError here, but only for our superadmin users on the Zope/acl_users level. All Plone/acl_users users have the correct ticket.

@rohnsha0
Copy link
Member

rohnsha0 commented May 24, 2025
edited
Loading

plone.session/plone/session/plugins/session.py

Lines 201 to 207 in e46246b

try:
creds["cookie"] = binascii.a2b_base64(request.get(self.cookie_name))
except binascii.Error:
# If we have a cookie which is not properly base64 encoded it
# can not be ours.
return creds

i replaced it by:-

        try:
            decoded_cookie = binascii.a2b_base64(request.get(self.cookie_name))
        except binascii.Error:
            # If we have a cookie which is not properly base64 encoded it
            # can not be ours.
            return creds

        # Validate that the decoded cookie has the minimum expected format
        # A valid ticket must be at least 40 bytes: 32 (digest) + 8 (timestamp)
        if len(decoded_cookie) < 40:
            # This is not a valid session ticket format
            return creds
        
        # Basic format validation: check if timestamp portion (bytes 32-40) is hex
        try:
            int(decoded_cookie[32:40], 16)
        except (ValueError, TypeError):
            # Invalid timestamp format - not a valid session ticket
            return creds

        creds["cookie"] = decoded_cookie

and after this line:-

plone.session/plone/session/plugins/session.py

Line 405 in e46246b

return None

added:-

        
        # Validate that the decoded cookie has the minimum expected format
        # A valid ticket must be at least 40 bytes: 32 (digest) + 8 (timestamp)
        if len(ticket) < 40:
            # This is not a valid session ticket format
            return None
        
        # Basic format validation: check if timestamp portion (bytes 32-40) is hex
        try:
            int(ticket[32:40], 16)
        except (ValueError, TypeError):
            # Invalid timestamp format - not a valid session ticket
            return None

@davisagli
Copy link
Member

@rohnsha0 Instead of adding the same code in 2 places, I would check it in _validateTicket before it calls _splitTicket.

@rohnsha0 rohnsha0 linked a pull request May 25, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
01 type: bug
Projects
None yet
Milestone
Plone 6.0
Development

Successfully merging a pull request may close this issue.

Add validation for session ticket format to prevent ValueError plone/plone.session
8 participants
@davisagli @mauritsvanrees @petschki @zopyx @gogobd @gforcada @ale-rt @rohnsha0