[Zope-dev] Incorrect Padding?

Steve Alexander steve@cat-box.net
Mon, 24 Jul 2000 17:22:25 +0100


Chris Withers wrote:
> 
> Chris Withers wrote:
> >
> > Steve Alexander wrote:
> > > My guess is that the argument "auth" passed to validate() has some
> > > trailing characters. Either that, or WebWhacker passed just "Basic " as
> > > an auth string.
> >
> > Yuk, that sounds like a Zope bug. Collector time with patch? A judicious
> > string.strip should solve the problem, surely?
> 
> PS:
> 
> A string.upper wouldn't go amiss either, then earlier versions of
> Mozilla that send an incorrectly capitalised 'Basic' might also be
> allowed to authenticate with Zope :-)

It is already there in 2.2final: if lower(auth[:6])!='basic ':
                                    ^^^^^

RFC 1945 has it as "Basic".

http://www.freesoft.org/CIE/RFC/1945/67.htm

I also checked, and this version of the patch *should* work:

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
        name,password=tuple(split(decodestring(strip(auth[6:])), ':',
1))


The "strip" is in there just in case a client responds with

"basic  base64blah" instead of
"basic base64blah".

However, it still doesn't work if the client sends something bogus --
the tuple will only be one item long, rather than two.

If you want to be protected against bogosity in basic authentication,
you can stick with the original line, and put it inside a try-except
block:

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
        try:
            name,password=\
                tuple(split(decodestring(split(auth)[-1]), ':', 1))
        except:
            # Bogus basic authentication. Perhaps log something?
            return None

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net