By replaying a request 2 times, paste accepts a replayed authentication request.
This patch prevents this by only allowing nonces that paste itself generated.
I suppose this is the desired behaviour, because paste already has
code to prevent replay attacks, but it only prevents the first replay,
the second one succeeds.
--
Mvg
Môshe van der Sterre
http://www.moshe.nl/
http://www.coecu.nl/
--- digest.py
+++ digest.py
@@ -50,7 +50,7 @@
"%s:%s" % (time.time(), random.random())).hexdigest()
opaque = md5.md5(
"%s:%s" % (time.time(), random.random())).hexdigest()
- self.nonce[nonce] = None
+ self.nonce[nonce] = '00000000'
parts = {'realm': self.realm, 'qop': 'auth',
'nonce': nonce, 'opaque': opaque }
if stale:
@@ -73,7 +73,9 @@
if nonce in self.nonce:
del self.nonce[nonce]
return self.build_authentication()
- pnc = self.nonce.get(nonce,'00000000')
+ if not nonce in self.nonce:
+ return self.build_authentication(stale = True)
+ pnc = self.nonce[nonce]
if nc <= pnc:
if nonce in self.nonce:
del self.nonce[nonce]
_______________________________________________
Paste-users mailing list
[email protected]
http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users
