Chris Withers wrote:
Steve Alexander wrote:
My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string.
Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely?
from base64 import decodestring from string import * auth="Basic" tuple(split(decodestring(split(auth)[-1]), ':', 1)) Traceback (innermost last): File "<stdin>", line 1, in ? File "/usr//lib/python1.5/base64.py", line 46, in decodestring decode(f, g) File "/usr//lib/python1.5/base64.py", line 32, in decode s = binascii.a2b_base64(line) binascii.Error: Incorrect padding
The problem is in the expression "split(auth)[-1]". If the auth string contains no space but at least one character, then split(auth)[-1] == split(auth)[0]. Perhaps what we should do is change this (lib/python/AccessControl/User.py, line 438) # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) to this: # Only do basic authentication if lower(auth[:6])!='basic ' and len(auth)>6: return None name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) or even: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(auth[6:]), ':', 1)) (Need to check the last one with the RFC -- are you allowed anything else other than "basic blarglebase64usernamepassword" ? )
Maybe log the auth argument and re-whack your site. (Warning... this is certainly a nasty security hole. Be sure to get rid of the logging afterwards.)
I didn't whack my site, I just got mailed the error...
Well... try whacking yourself and see what the whacker actually sends -- we're just guessing until then. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net