Re: [Zope-PAS] PluggableAuthService colon-in-cookie bug

[Jens Vagelpohl]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 27 Nov 2006, at 18:00, Daniel Doerr wrote:


Hey guys,

recently I discovered a bug (or a feature???!!) in the way credentials
are stored in cookies with PluggableAuthService.


Daniel, please file this as a bug report in the PAS collector:

http://www.zope.org/Collectors/PAS

Mailing lists are a bad place to send bug reports, they will simply  
get lost and be forgotten.


jens





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFbqOaRAx5nvEhZLIRAhyoAJ90b8UkjrRQ3jNVpukgDKTYkQZWKwCfWoHk
q4c2EaG+lzuDKF/8oxfoWRU=
=cGFZ
-END PGP SIGNATURE-
___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

[Zope-PAS] PluggableAuthService colon-in-cookie bug

[Daniel Doerr]

Hey guys,

recently I discovered a bug (or a feature???!!) in the way credentials 
are stored in cookies with PluggableAuthService. When somebody includes 
a colon in his password, the authentication for this user doesn't work 
anymore because of this code in 
PluggableAuthService.plugins.CookieAuthHelper.extractCredentials() 
line 122:

cookie_val = decodestring(unquote(cookie))
login, password = cookie_val.split(':')

.. which will fail if there are more but one colons in cookie_val. So, 
basically, nobody with a colon in his loginname or password can login 
at zope anymore. My first suggestion of bugfixing this unwanted 
behaviour was

cookie_val = decodestring(unquote(cookie))
login = cookie_val[:cookie_val.find(':')]
password = cookie_val[cookie_val.find(':')+1:]

.. but then I realized that there also can be colons in the loginname 
as well since it shouldn't be part of PAS' job to decide whether a 
loginname or password is valid or not (and, in fact, PAS does not 
check the validity of the credentials before deciding to join or split 
them by a colon...).

So I wrote a bugfix, which solves this problem by encoding the 
loginname and password before delivering these to credentials-update 
plugins (which happens in PluggableAuthService.updateCredentials line 
1080). In addition, credentials have to be separately decoded in 
CookieAuthHelper.extractCredentials.

Patch for PluggableAuthService.py:
28a29
 from base64 import encodestring
1080c1081,1083
 updater.updateCredentials(request, response, login, 
new_password)
---
 updater.updateCredentials(request, response, \
 encodestring(login), \
 encodestring(new_password))


Patch for plugins/CookieAuthHelper.py
125,126c125,126
 creds['login'] = login
 creds['password'] = password
---
 creds['login'] = decodestring(login)
 creds['password'] = decodestring(password)

These bugfixes work very well but being aware that these are bugfixes on 
two different levels of the authentication process, I do not see any other 
possibility to fix this problem, because CookieAuthHandler extracts 
credentials from the request as well, which IMHO shouldn't be part of 
this plugin either...

After trying to get in contact with Tres Seaver directly, I finally found 
this awesome news group to post on.. If somebody can help me out 
explaining this esoteric behaviour of PAS or can give me an advice to 
avoid this problem I would be very grateful!

Regards,
-dany




___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas