[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ Collector #2039: '_authUserPW' choked on passwords containing colons.

Tres Seaver tseaver at palladion.com
Mon Mar 6 13:41:12 EST 2006 

Log message for revision 65834:
  Collector #2039:  '_authUserPW' choked on passwords containing colons.

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/HTTPRequest.py
  U   Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testHTTPRequest.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2006-03-06 15:31:58 UTC (rev 65833)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2006-03-06 18:41:11 UTC (rev 65834)
@@ -6,26 +6,21 @@
 
   To-do
 
-   - Reenable C permission roles by implementing recent Python
-     changes in C, brining the Python and C implementations back in
-     sync.  See lib/python/AccessControl/PermissionRole.py.
-
    - Add cyclic-garbage collection support to C extension classes,
      especially to acquisition wrappers.
 
-   - Reenable C Zope security policy by implementing recent Python
-     changes in C, bringing the Python and C implementations back in
-     sync.  See lib/python/AccessControl/ZopeSecurityPolicy.py.
+     N.B:  ExtensionClassType already declares that it supports GC
+     (via the Py_TPFLAGS_HAVE_GC flag), but does not appear to conform
+     to the rules for such a type laid out in the Python docs:
+     http://docs.python.org/api/supporting-cycle-detection.html
 
-   - Change acquisition wrappers to implement the descr get slot
-     directly, thus speeding the use of the slot.
-
-   - Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8
-
   After Zope 2.8.6
 
     Bugs fixed
 
+      - Collector #2039: 'ZPublisher.HTTPRequest.HTTPRequest._authUserPW'
+        choked on passwords which contained colons.
+
       - Missing import of NotFound in webdav.Resource.
 
   Zope 2.8.6 (2006/02/25)

Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/HTTPRequest.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/HTTPRequest.py	2006-03-06 15:31:58 UTC (rev 65833)
+++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/HTTPRequest.py	2006-03-06 18:41:11 UTC (rev 65834)
@@ -1333,7 +1333,7 @@
             if auth[:6].lower() == 'basic ':
                 if base64 is None: import base64
                 [name,password] = \
-                    base64.decodestring(auth.split()[-1]).split(':')
+                    base64.decodestring(auth.split()[-1]).split(':', 1)
                 return name, password
 
     def taintWrapper(self, enabled=TAINTING_ENABLED):

Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testHTTPRequest.py	2006-03-06 15:31:58 UTC (rev 65833)
+++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testHTTPRequest.py	2006-03-06 18:41:11 UTC (rev 65834)
@@ -1,6 +1,71 @@
 import unittest
 from urllib import quote_plus
 
+class AuthCredentialsTestsa( unittest.TestCase ):
+
+    def _getTargetClass(self):
+        from ZPublisher.HTTPRequest import HTTPRequest
+        return HTTPRequest
+
+    def _makeOne(self, stdin=None, environ=None, response=None, clean=1):
+
+        if stdin is None:
+            from StringIO import StringIO
+            stdin = StringIO()
+
+        if environ is None:
+            environ = {}
+
+        if 'SERVER_NAME' not in environ:
+            environ['SERVER_NAME'] = 'http://localhost'
+
+        if 'SERVER_PORT' not in environ:
+            environ['SERVER_PORT'] = '8080'
+
+        if response is None:
+            class _FauxResponse(object):
+                _auth = None
+
+            response = _FauxResponse()
+
+        return self._getTargetClass()(stdin, environ, response, clean)
+
+    def test__authUserPW_simple( self ):
+
+        import base64
+
+        user_id = 'user'
+        password = 'password'
+        encoded = base64.encodestring( '%s:%s' % ( user_id, password ) )
+        auth_header = 'basic %s' % encoded
+
+        environ = { 'HTTP_AUTHORIZATION': auth_header }
+        request = self._makeOne( environ=environ )
+
+        user_id_x, password_x = request._authUserPW()
+
+        self.assertEqual( user_id_x, user_id )
+        self.assertEqual( password_x, password )
+
+    def test__authUserPW_with_embedded_colon( self ):
+
+        # http://www.zope.org/Collectors/Zope/2039
+
+        import base64
+
+        user_id = 'user'
+        password = 'embedded:colon'
+        encoded = base64.encodestring( '%s:%s' % ( user_id, password ) )
+        auth_header = 'basic %s' % encoded
+
+        environ = { 'HTTP_AUTHORIZATION': auth_header }
+        request = self._makeOne( environ=environ )
+
+        user_id_x, password_x = request._authUserPW()
+
+        self.assertEqual( user_id_x, user_id )
+        self.assertEqual( password_x, password )
+
 class RecordTests( unittest.TestCase ):
 
     def test_repr( self ):
@@ -622,6 +687,7 @@
 
 def test_suite():
     suite = unittest.TestSuite()
+    suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test'))
     suite.addTest(unittest.makeSuite(RecordTests, 'test'))
     suite.addTest(unittest.makeSuite(ProcessInputsTests, 'test'))
     suite.addTest(unittest.makeSuite(RequestTests, 'test'))

More information about the Zope-Checkins mailing list