On Mon, Jul 24, 2000 at 05:22:25PM +0100, Steve Alexander wrote:
Chris Withers wrote:
A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-)
Heh, and allow Mozilla to gain the bug again? Zope wan't the only server Moz broke on though..
It is already there in 2.2final: if lower(auth[:6])!='basic ': ^^^^^
RFC 1945 has it as "Basic".
RFC 1945 says one paragraph before that that the header should be matched case-insensitively. That was what the Moz bug was all about.
I also checked, and this version of the patch *should* work:
# Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1))
The "strip" is in there just in case a client responds with
"basic base64blah" instead of "basic base64blah".
The split already takes out the whitespace. No need to strip.
However, it still doesn't work if the client sends something bogus -- the tuple will only be one item long, rather than two.
That is a bug in the client then.
If you want to be protected against bogosity in basic authentication, you can stick with the original line, and put it inside a try-except block:
# Only do basic authentication if lower(auth[:6])!='basic ': return None try: name,password=\ tuple(split(decodestring(split(auth)[-1]), ':', 1)) except: # Bogus basic authentication. Perhaps log something? return None
This would mask bugs in clients. Not a good idea. -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio -----------------------------------------------------