Chris Withers wrote:
Chris Withers wrote:
Steve Alexander wrote:
My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string.
Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely?
PS:
A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-)
It is already there in 2.2final: if lower(auth[:6])!='basic ': ^^^^^ RFC 1945 has it as "Basic". http://www.freesoft.org/CIE/RFC/1945/67.htm I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". However, it still doesn't work if the client sends something bogus -- the tuple will only be one item long, rather than two. If you want to be protected against bogosity in basic authentication, you can stick with the original line, and put it inside a try-except block: # Only do basic authentication if lower(auth[:6])!='basic ': return None try: name,password=\ tuple(split(decodestring(split(auth)[-1]), ':', 1)) except: # Bogus basic authentication. Perhaps log something? return None -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net