[Checkins] SVN: PluggableAuthService/trunk/ - merge in changes from
my branch
Andrew Sawyers
andrew at sawdog.com
Fri Oct 20 17:19:12 EDT 2006
Log message for revision 70857:
- merge in changes from my branch
- updated change log
Changed:
U PluggableAuthService/trunk/doc/CHANGES.txt
U PluggableAuthService/trunk/plugins/CookieAuthHelper.py
U PluggableAuthService/trunk/plugins/DelegatingMultiPlugin.py
-=-
Modified: PluggableAuthService/trunk/doc/CHANGES.txt
===================================================================
--- PluggableAuthService/trunk/doc/CHANGES.txt 2006-10-20 21:05:12 UTC (rev 70856)
+++ PluggableAuthService/trunk/doc/CHANGES.txt 2006-10-20 21:19:11 UTC (rev 70857)
@@ -10,6 +10,14 @@
Bugs Fixed
+ - Fixed bug in DelegatingMultiPlugin which attempted to validated the
+ supplied password directly against the user password - updated to use
+ AuthEncoding.pw_validate to handle encoding issues
+
+ - Fixed serious security hole in DelegratingMultiPlugin which allowed
+ Authentication if simply the EmergencyUser login was passed in. Added
+ password validation utilizing AuthEncoding.pw_validate
+
- Fixed a set of tests that tested values computed from dictionaries
and could break since dictionaries are not guaranteed to have any
sort order.
@@ -30,6 +38,9 @@
Other
+ - cleaned up code in CookieAuthHelper which allowed the form to override
+ login/password if a cookie had already been set.
+
- Removed some BBB code for Zope versions < 2.8, which is not needed
since we require Zope > 2.8.5 nowadays.
Modified: PluggableAuthService/trunk/plugins/CookieAuthHelper.py
===================================================================
--- PluggableAuthService/trunk/plugins/CookieAuthHelper.py 2006-10-20 21:05:12 UTC (rev 70856)
+++ PluggableAuthService/trunk/plugins/CookieAuthHelper.py 2006-10-20 21:19:11 UTC (rev 70857)
@@ -110,16 +110,13 @@
""" Extract credentials from cookie or 'request'. """
creds = {}
cookie = request.get(self.cookie_name, '')
- login = request.get('__ac_name', '')
+ # Look in the request.form for the names coming from the login form
+ login = request.form.get('__ac_name', '')
if login:
- # Look in the request for the names coming from the login form
- login = request.get('__ac_name', '')
- password = request.get('__ac_password', '')
+ creds['login'] = login
+ creds['password'] = request.form.get('__ac_password', '')
- if login:
- creds['login'] = login
- creds['password'] = password
elif cookie and cookie != 'deleted':
cookie_val = decodestring(unquote(cookie))
login, password = cookie_val.split(':')
@@ -183,7 +180,7 @@
url = self.getLoginURL()
if url is not None:
came_from = req.get('came_from', None)
-
+
if came_from is None:
came_from = req.get('URL', '')
query = req.get('QUERY_STRING')
@@ -204,7 +201,7 @@
# the only sane thing to do is to give up because we are
# in an endless redirect loop.
return 0
-
+
url = url + '?came_from=%s' % quote(came_from)
resp.redirect(url, lock=1)
return 1
Modified: PluggableAuthService/trunk/plugins/DelegatingMultiPlugin.py
===================================================================
--- PluggableAuthService/trunk/plugins/DelegatingMultiPlugin.py 2006-10-20 21:05:12 UTC (rev 70856)
+++ PluggableAuthService/trunk/plugins/DelegatingMultiPlugin.py 2006-10-20 21:19:11 UTC (rev 70857)
@@ -31,6 +31,7 @@
from AccessControl.SpecialUsers import emergency_user
from zope.interface import Interface
+from AccessControl import AuthEncoding
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
@@ -124,15 +125,19 @@
if not acl or not login or not password:
return (None, None)
- if login == emergency_user.getUserName():
+ if login == emergency_user.getUserName() and \
+ AuthEncoding.pw_validate(emergency_user._getPassword(), password):
return ( login, login )
user = acl.getUser(login)
+
if user is None:
return (None, None)
- elif user and user._getPassword() == password:
+
+ elif user and AuthEncoding.pw_validate(user._getPassword(),
+ password):
return ( user.getId(), login )
-
+
return (None, None)
More information about the Checkins
mailing list