Issue 477685
Created on 2001-11-03 01:10 by grubert, last changed 2001-11-03 14:52 by grubert.
msg44 |
Author: [hidden] (grubert) |
Date: 2001-11-03 01:10 |
|
on some user:passwd if the encoded string is not multiple of 24bits, appending '=' cures.
|
msg45 |
Author: [hidden] (grubert) |
Date: 2001-11-03 01:16 |
|
Logged In: YES
user_id=147070
cgi_client.py:
cookie = cookie['roundup_user'].value
user, password = base64.decodestring(cookie+'=').split(':')
HERE______________________________________/!!!!
# make sure the user exists
|
msg46 |
Author: [hidden] (richard) |
Date: 2001-11-03 01:19 |
|
Logged In: YES
user_id=6405
Hrm - I'm a little concerned. I haven't looked at the code
yet, but I recall that that string is the output of
passing user:passedword to base64.encodestring. I must be
trucating the string somewhere...
|
msg47 |
Author: [hidden] (richard) |
Date: 2001-11-03 01:24 |
|
Logged In: YES
user_id=6405
I've committed a change to the cvs that may fix this. I've
switched to using binascii.[a2b|b2a]_base64 and am using
strip() instead of [:-1]. I tested with:
>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a'))
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab'))
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc'))
'abc'
>>> binascii.a2b_base64(binascii.b2a_base64('abcd'))
'abcd'
so if it still breaks, there's something else doing a
truncation of the data.
|
msg48 |
Author: [hidden] (richard) |
Date: 2001-11-03 02:01 |
|
Logged In: YES
user_id=6405
*ahem*
sorry, the test I did was actually:
>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a').strip())
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab').strip())
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc').strip())
'abc'
>>>
binascii.a2b_base64(binascii.b2a_base64('abcd').strip())
|
msg49 |
Author: [hidden] (grubert) |
Date: 2001-11-03 14:52 |
|
Logged In: YES
user_id=147070
ahem too still the same. and your test also works with base64. but lynx does not like it.
maybe the cookies value should be quoted for the trailing "=" to survive.
|
msg50 |
Author: [hidden] (grubert) |
Date: 2001-11-03 18:19 |
|
Logged In: YES
user_id=147070
the cvs version works.
|
msg51 |
Author: [hidden] (grubert) |
Date: 2001-11-03 18:48 |
|
Logged In: YES
user_id=147070
sorry for the hassle it does not work (only with abc as password).
acchording to my rfc understanding and to the Cookie module, Cookies with "=" in the value must be quoted. cgi_client.py line 599 (guessed).
Does IE quote the string, tolerate this or is anyone using 3 letter passwords ?
|
|
Date |
User |
Action |
Args |
2001-11-03 01:10:43 | grubert | create | |
|