[Zope-dev] Incorrect Padding?
Martijn Pieters
mj@digicool.com
Mon, 24 Jul 2000 20:36:26 +0200
On Mon, Jul 24, 2000 at 05:22:25PM +0100, Steve Alexander wrote:
> Chris Withers wrote:
> > A string.upper wouldn't go amiss either, then earlier versions of
> > Mozilla that send an incorrectly capitalised 'Basic' might also be
> > allowed to authenticate with Zope :-)
Heh, and allow Mozilla to gain the bug again? Zope wan't the only server Moz
broke on though..
> It is already there in 2.2final: if lower(auth[:6])!='basic ':
> ^^^^^
>
> RFC 1945 has it as "Basic".
>
> http://www.freesoft.org/CIE/RFC/1945/67.htm
RFC 1945 says one paragraph before that that the header should be matched
case-insensitively. That was what the Moz bug was all about.
> I also checked, and this version of the patch *should* work:
>
> # Only do basic authentication
> if lower(auth[:6])!='basic ':
> return None
> name,password=tuple(split(decodestring(strip(auth[6:])), ':',
> 1))
>
>
> The "strip" is in there just in case a client responds with
>
> "basic base64blah" instead of
> "basic base64blah".
The split already takes out the whitespace. No need to strip.
> However, it still doesn't work if the client sends something bogus --
> the tuple will only be one item long, rather than two.
That is a bug in the client then.
> If you want to be protected against bogosity in basic authentication,
> you can stick with the original line, and put it inside a try-except
> block:
>
> # Only do basic authentication
> if lower(auth[:6])!='basic ':
> return None
> try:
> name,password=\
> tuple(split(decodestring(split(auth)[-1]), ':', 1))
> except:
> # Bogus basic authentication. Perhaps log something?
> return None
This would mask bugs in clients. Not a good idea.
--
Martijn Pieters
| Software Engineer mailto:mj@digicool.com
| Digital Creations http://www.digicool.com/
| Creators of Zope http://www.zope.org/
| ZopeStudio: http://www.zope.org/Products/ZopeStudio
-----------------------------------------------------