[Zope-dev] Incorrect Padding?
Steve Alexander
steve@cat-box.net
Mon, 24 Jul 2000 15:19:34 +0100
Chris Withers wrote:
>
> Does anyone know what this means?
>
> The page views fine for me and this is the first error of this type I've
> seen since we launched the archives. I wonder what WebWhacker is doing
> to cause this?
Well... you can get an incorect padding error like this:
>>> import binascii
>>> binascii.a2b_base64('a ')
Traceback (innermost last):
File "<stdin>", line 1, in ?
binascii.Error: Incorrect padding
You can also get by adding arbitrary non-space characters to the end of
a basic authentication string.
Here's the line that'll be causing the problem.
(Zope 2.2final, lib/python/AccessControl/User.py line 441)
name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1))
My guess is that the argument "auth" passed to validate() has some
trailing characters. Either that, or WebWhacker passed just "Basic " as
an auth string.
Maybe log the auth argument and re-whack your site. (Warning... this is
certainly a nasty security hole. Be sure to get rid of the logging
afterwards.)
--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net