Chris Withers wrote:
> Chris Withers wrote:
> >
> > Steve Alexander wrote:
> > > My guess is that the argument "auth" passed to validate() has some
> > > trailing characters. Either that, or WebWhacker passed just "Basic " as
> > > an auth string.
> >
> > Yuk, that sounds like a Zope bug. Collector time with patch? A judicious
> > string.strip should solve the problem, surely?
> PS:
> A string.upper wouldn't go amiss either, then earlier versions of
> Mozilla that send an incorrectly capitalised 'Basic' might also be
> allowed to authenticate with Zope :-)

It is already there in 2.2final: if lower(auth[:6])!='basic ':

RFC 1945 has it as "Basic".

I also checked, and this version of the patch *should* work:

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
        name,password=tuple(split(decodestring(strip(auth[6:])), ':',

The "strip" is in there just in case a client responds with

"basic  base64blah" instead of
"basic base64blah".

However, it still doesn't work if the client sends something bogus --
the tuple will only be one item long, rather than two.

If you want to be protected against bogosity in basic authentication,
you can stick with the original line, and put it inside a try-except

        # Only do basic authentication
        if lower(auth[:6])!='basic ':
            return None
                tuple(split(decodestring(split(auth)[-1]), ':', 1))
            # Bogus basic authentication. Perhaps log something?
            return None

Steve Alexander
Software Engineer
Cat-Box limited

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to