[Zope-dev] Incorrect Padding?
Steve Alexander
steve@cat-box.net
Mon, 24 Jul 2000 15:38:06 +0100
Chris Withers wrote:
>
> Steve Alexander wrote:
> > My guess is that the argument "auth" passed to validate() has some
> > trailing characters. Either that, or WebWhacker passed just "Basic " as
> > an auth string.
>
> Yuk, that sounds like a Zope bug. Collector time with patch? A judicious
> string.strip should solve the problem, surely?
>>> from base64 import decodestring
>>> from string import *
>>> auth="Basic"
>>> tuple(split(decodestring(split(auth)[-1]), ':', 1))
Traceback (innermost last):
File "<stdin>", line 1, in ?
File "/usr//lib/python1.5/base64.py", line 46, in decodestring
decode(f, g)
File "/usr//lib/python1.5/base64.py", line 32, in decode
s = binascii.a2b_base64(line)
binascii.Error: Incorrect padding
The problem is in the expression "split(auth)[-1]". If the auth string
contains no space but at least one character, then split(auth)[-1] ==
split(auth)[0].
Perhaps what we should do is change this
(lib/python/AccessControl/User.py, line 438)
# Only do basic authentication
if lower(auth[:6])!='basic ':
return None
name,password=tuple(split(decodestring(split(auth)[-1]), ':',
1))
to this:
# Only do basic authentication
if lower(auth[:6])!='basic ' and len(auth)>6:
return None
name,password=tuple(split(decodestring(split(auth)[-1]), ':',
1))
or even:
# Only do basic authentication
if lower(auth[:6])!='basic ':
return None
name,password=tuple(split(decodestring(auth[6:]), ':', 1))
(Need to check the last one with the RFC -- are you allowed anything
else other than "basic blarglebase64usernamepassword" ? )
> > Maybe log the auth argument and re-whack your site. (Warning... this is
> > certainly a nasty security hole. Be sure to get rid of the logging
> > afterwards.)
>
> I didn't whack my site, I just got mailed the error...
Well... try whacking yourself and see what the whacker actually sends --
we're just guessing until then.
--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net