[Checkins] SVN: PluggableAuthService/trunk/ - Passwords with ":"
characters would break authentication
Jens Vagelpohl
jens at dataflake.org
Sun May 27 14:24:45 EDT 2007
Log message for revision 75979:
- Passwords with ":" characters would break authentication
(http://www.zope.org/Collectors/PAS/51)
Changed:
U PluggableAuthService/trunk/doc/CHANGES.txt
U PluggableAuthService/trunk/plugins/CookieAuthHelper.py
U PluggableAuthService/trunk/plugins/tests/test_CookieAuthHelper.py
-=-
Modified: PluggableAuthService/trunk/doc/CHANGES.txt
===================================================================
--- PluggableAuthService/trunk/doc/CHANGES.txt 2007-05-27 18:06:11 UTC (rev 75978)
+++ PluggableAuthService/trunk/doc/CHANGES.txt 2007-05-27 18:24:45 UTC (rev 75979)
@@ -12,6 +12,9 @@
Bugs Fixed
+ - Passwords with ":" characters would break authentication
+ (http://www.zope.org/Collectors/PAS/51)
+
- Corrected documented software dependencies
- Converted to publishable security sensitive methods to only accept
Modified: PluggableAuthService/trunk/plugins/CookieAuthHelper.py
===================================================================
--- PluggableAuthService/trunk/plugins/CookieAuthHelper.py 2007-05-27 18:06:11 UTC (rev 75978)
+++ PluggableAuthService/trunk/plugins/CookieAuthHelper.py 2007-05-27 18:24:45 UTC (rev 75979)
@@ -125,8 +125,8 @@
# Cookie is in a different format, so it is not ours
return creds
- creds['login'] = login
- creds['password'] = password
+ creds['login'] = login.decode('hex')
+ creds['password'] = password.decode('hex')
if creds:
creds['remote_host'] = request.get('REMOTE_HOST', '')
@@ -148,7 +148,8 @@
security.declarePrivate('updateCredentials')
def updateCredentials(self, request, response, login, new_password):
""" Respond to change of credentials (NOOP for basic auth). """
- cookie_val = encodestring('%s:%s' % (login, new_password))
+ cookie_str = '%s:%s' % (login.encode('hex'), new_password.encode('hex'))
+ cookie_val = encodestring(cookie_str)
cookie_val = cookie_val.rstrip()
response.setCookie(self.cookie_name, quote(cookie_val), path='/')
Modified: PluggableAuthService/trunk/plugins/tests/test_CookieAuthHelper.py
===================================================================
--- PluggableAuthService/trunk/plugins/tests/test_CookieAuthHelper.py 2007-05-27 18:06:11 UTC (rev 75978)
+++ PluggableAuthService/trunk/plugins/tests/test_CookieAuthHelper.py 2007-05-27 18:24:45 UTC (rev 75979)
@@ -89,13 +89,13 @@
helper = self._makeOne()
response = FauxCookieResponse()
request = FauxSettableRequest(__ac_name='foo',
- __ac_password='bar',
+ __ac_password='b:ar',
RESPONSE=response)
self.assertEqual(len(response.cookies), 0)
self.assertEqual(helper.extractCredentials(request),
{'login': 'foo',
- 'password': 'bar',
+ 'password': 'b:ar',
'remote_host': '',
'remote_address': ''})
self.assertEqual(len(response.cookies), 0)
@@ -151,7 +151,27 @@
helper.login()
self.assertEqual(len(response.cookies), 0)
+ def test_extractCredentials_from_cookie_with_colon_in_password(self):
+ # http://www.zope.org/Collectors/PAS/51
+ # Passwords with ":" characters broke authentication
+ from base64 import encodestring
+ helper = self._makeOne()
+ response = FauxCookieResponse()
+ request = FauxSettableRequest(RESPONSE=response)
+
+ cookie_str = '%s:%s' % ('foo'.encode('hex'), 'b:ar'.encode('hex'))
+ cookie_val = encodestring(cookie_str)
+ cookie_val = cookie_val.rstrip()
+ request.set(helper.cookie_name, cookie_val)
+
+ self.assertEqual(helper.extractCredentials(request),
+ {'login': 'foo',
+ 'password': 'b:ar',
+ 'remote_host': '',
+ 'remote_address': ''})
+
+
if __name__ == "__main__":
unittest.main()
More information about the Checkins
mailing list