[Checkins] SVN: zope.password/trunk/ Maintain backwards compatibility to older hashes encoded with urlsafe.

Martijn Pieters mj at zopatista.com
Sun Feb 20 10:35:05 EST 2011 

Log message for revision 120470:
  Maintain backwards compatibility to older hashes encoded with urlsafe.
  
  Update documentation as well.

Changed:
  U   zope.password/trunk/CHANGES.txt
  U   zope.password/trunk/src/zope/password/password.py

-=-
Modified: zope.password/trunk/CHANGES.txt
===================================================================
--- zope.password/trunk/CHANGES.txt	2011-02-20 15:29:04 UTC (rev 120469)
+++ zope.password/trunk/CHANGES.txt	2011-02-20 15:35:05 UTC (rev 120470)
@@ -25,6 +25,9 @@
   way. Checking passwards against old, still 'salted' password hashes is still
   supported.
 
+- Use the standard_base64encode method instead of url_base64encode to maintain
+  compatibility with LDAP.
+
 3.6.1 (2010-05-27)
 ------------------
 

Modified: zope.password/trunk/src/zope/password/password.py
===================================================================
--- zope.password/trunk/src/zope/password/password.py	2011-02-20 15:29:04 UTC (rev 120469)
+++ zope.password/trunk/src/zope/password/password.py	2011-02-20 15:35:05 UTC (rev 120470)
@@ -17,6 +17,7 @@
 
 from base64 import standard_b64encode
 from base64 import standard_b64decode
+from base64 import urlsafe_b64decode
 from os import urandom
 from codecs import getencoder
 try:
@@ -152,13 +153,16 @@
         return '{SSHA}' + standard_b64encode(hash.digest() + salt)
 
     def checkPassword(self, encoded_password, password):
-        # urlsafe_b64decode() cannot handle unicode input string. We
+        # standard_b64decode() cannot handle unicode input string. We
         # encode to ascii. This is safe as the encoded_password string
         # should not contain non-ascii characters anyway.
-        encoded_password = encoded_password.encode('ascii')
-        byte_string = standard_b64decode(encoded_password[6:])
+        encoded_password = encoded_password.encode('ascii')[6:]
+        if '_' in encoded_password or '-' in encoded_password:
+            # Encoded using urlsafe_b64encode
+            byte_string = urlsafe_b64decode(encoded_password)
+        byte_string = standard_b64decode(encoded_password)
         salt = byte_string[20:]
-        return encoded_password == self.encodePassword(password, salt)
+        return encoded_password == self.encodePassword(password, salt)[6:]
 
     def match(self, encoded_password):
         return encoded_password.startswith('{SSHA}')

More information about the checkins mailing list