Chris Withers wrote:
> Steve Alexander wrote:
> > My guess is that the argument "auth" passed to validate() has some
> > trailing characters. Either that, or WebWhacker passed just "Basic " as
> > an auth string.
> Yuk, that sounds like a Zope bug. Collector time with patch? A judicious
> string.strip should solve the problem, surely?

>>> from base64 import decodestring
>>> from string import *
>>> auth="Basic"
>>> tuple(split(decodestring(split(auth)[-1]), ':', 1))
Traceback (innermost last):
  File "<stdin>", line 1, in ?
  File "/usr//lib/python1.5/", line 46, in decodestring
    decode(f, g)
  File "/usr//lib/python1.5/", line 32, in decode
    s = binascii.a2b_base64(line)
binascii.Error: Incorrect padding

The problem is in the expression "split(auth)[-1]". If the auth string
contains no space but at least one character, then split(auth)[-1] ==

Perhaps what we should do is change this
(lib/python/AccessControl/, line 438)

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
        name,password=tuple(split(decodestring(split(auth)[-1]), ':',

to this:

        # Only do basic authentication
        if lower(auth[:6])!='basic ' and len(auth)>6:
            return None
        name,password=tuple(split(decodestring(split(auth)[-1]), ':',

or even:

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
        name,password=tuple(split(decodestring(auth[6:]), ':', 1))

(Need to check the last one with the RFC -- are you allowed anything
else other than "basic blarglebase64usernamepassword" ? )

> > Maybe log the auth argument and re-whack your site. (Warning... this is
> > certainly a nasty security hole. Be sure to get rid of the logging
> > afterwards.)
> I didn't whack my site, I just got mailed the error...

Well... try whacking yourself and see what the whacker actually sends --
we're just guessing until then.

Steve Alexander
Software Engineer
Cat-Box limited

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to