Roundup Tracker - Issues

Issue 477685

classification
base64.decodestring breaks
Type: Severity: normal
Components: Web interface Versions:
process
Status: closed fixed
:
: richard : grubert, richard
Priority: normal :

Created on 2001-11-03 01:10 by grubert, last changed 2001-11-03 14:52 by grubert.

Messages
msg44 Author: [hidden] (grubert) Date: 2001-11-03 01:10
on some user:passwd if the encoded string is not multiple of 24bits, appending '=' cures.
msg45 Author: [hidden] (grubert) Date: 2001-11-03 01:16
Logged In: YES 
user_id=147070

cgi_client.py:
cookie = cookie['roundup_user'].value
user, password = base64.decodestring(cookie+'=').split(':')
HERE______________________________________/!!!!
# make sure the user exists
msg46 Author: [hidden] (richard) Date: 2001-11-03 01:19
Logged In: YES 
user_id=6405

Hrm - I'm a little concerned. I haven't looked at the code 
yet, but I recall that that string is the output of 
passing user:passedword to base64.encodestring. I must be 
trucating the string somewhere...

msg47 Author: [hidden] (richard) Date: 2001-11-03 01:24
Logged In: YES 
user_id=6405

I've committed a change to the cvs that may fix this. I've 
switched to using binascii.[a2b|b2a]_base64 and am using 
strip() instead of [:-1]. I tested with:

>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a'))
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab'))
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc'))
'abc'
>>> binascii.a2b_base64(binascii.b2a_base64('abcd'))
'abcd'


so if it still breaks, there's something else doing a 
truncation of the data.

msg48 Author: [hidden] (richard) Date: 2001-11-03 02:01
Logged In: YES 
user_id=6405

*ahem*
sorry, the test I did was actually:
>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a').strip())
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab').strip())
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc').strip())
'abc'
>>> 
binascii.a2b_base64(binascii.b2a_base64('abcd').strip())

msg49 Author: [hidden] (grubert) Date: 2001-11-03 14:52
Logged In: YES 
user_id=147070

ahem too still the same. and your test also works with base64. but lynx does not like it. 
maybe the cookies value should be quoted for the trailing "=" to survive.
 
msg50 Author: [hidden] (grubert) Date: 2001-11-03 18:19
Logged In: YES 
user_id=147070

the cvs version works.
msg51 Author: [hidden] (grubert) Date: 2001-11-03 18:48
Logged In: YES 
user_id=147070

sorry for the hassle it does not work (only with abc as password).
acchording to my rfc understanding and to the Cookie module, Cookies with "=" in the value must be quoted. cgi_client.py line 599 (guessed).

Does IE quote the string, tolerate this or is anyone using 3 letter passwords ?
History
Date User Action Args
2001-11-03 01:10:43grubertcreate