[Checkins] SVN: PluggableAuthService/branches/1.5/ Merge r78370 from trunk. This is a security fix: without it we could mix up users

Wichert Akkerman wichert at wiggy.net
Tue Sep 11 06:12:21 EDT 2007


Log message for revision 79562:
  Merge r78370 from trunk. This is a security fix: without it we could mix up users

Changed:
  U   PluggableAuthService/branches/1.5/PluggableAuthService.py
  U   PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py

-=-
Modified: PluggableAuthService/branches/1.5/PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/1.5/PluggableAuthService.py	2007-09-11 09:47:07 UTC (rev 79561)
+++ PluggableAuthService/branches/1.5/PluggableAuthService.py	2007-09-11 10:12:20 UTC (rev 79562)
@@ -761,11 +761,10 @@
 
         """ user_id -> info_dict or None
         """
-        criteria = {}
+        criteria = {'exact_match': True}
 
         if user_id is not None:
             criteria[ 'id' ] = user_id
-            criteria[ 'exact_match' ] = True
 
         if login is not None:
             criteria[ 'login' ] = login

Modified: PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py	2007-09-11 09:47:07 UTC (rev 79561)
+++ PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py	2007-09-11 10:12:20 UTC (rev 79562)
@@ -61,6 +61,45 @@
 
         return ()
 
+class DummyMultiUserEnumerator( DummyPlugin ):
+
+    def __init__( self, pluginid, *users ):
+
+        self.PLUGINID = pluginid
+
+        self.users = users
+
+    def enumerateUsers( self, id=None, login=None,
+                        exact_match=False ):
+
+        results = []
+
+        for info in self.users:
+            id_match = False
+            if id:
+                if exact_match:
+                    if info['id'] == id:
+                        id_match = True
+                elif info['id'].find(id) != -1:
+                    id_match = True
+            else:
+                id_match = True
+
+            login_match = False
+            if login:
+                if exact_match:
+                    if info['login'] == login:
+                        login_match = True
+                elif info['login'].find(login) != -1:
+                    login_match = True
+            else:
+                login_match = True
+
+            if id_match and login_match:
+                results.append(info)
+
+        return tuple(results)
+
 class DummyGroupEnumerator( DummyPlugin ):
 
     def __init__( self, group_id ):
@@ -1042,6 +1081,30 @@
         self.failUnless(  zcuf._verifyUser( zcuf.plugins
                                           , login='bar at example.com' ) )
 
+    def test__verifyUser_login_userid( self ):
+
+        from Products.PluggableAuthService.interfaces.plugins \
+             import IUserEnumerationPlugin
+
+        plugins = self._makePlugins()
+        zcuf = self._makeOne( plugins )
+
+        enumerator = DummyMultiUserEnumerator(
+            'enumerator',
+            {'id': 'foo', 'login': 'foobar'},
+            {'id': 'bar', 'login': 'foo'})
+        directlyProvides( enumerator, IUserEnumerationPlugin )
+        zcuf._setObject( 'enumerator', enumerator )
+
+        plugins = zcuf._getOb( 'plugins' )
+
+        plugins.activatePlugin( IUserEnumerationPlugin, 'enumerator' )
+
+        self.failUnless(
+            zcuf._verifyUser(plugins, login='foo')['id'] == 'bar')
+        self.failUnless(
+            zcuf._verifyUser(plugins, login='foobar')['id'] == 'foo')
+
     def test__findUser_no_plugins( self ):
 
         plugins = self._makePlugins()



More information about the Checkins mailing list