On 4/20/07, Giovannetti, Mark <[EMAIL PROTECTED]> wrote:
+    def checkPassword(self, storedPassword, password):
+        if len(storedPassword) == 48:
+            salt = storedPassword[0:8]
+        else:
+            salt = ''
+        return storedPassword == self.encodePassword(password, salt)

Because you allow the passing in of an arbirtary salt on encoding, you
should either check the salt length on encoding (ensuring len 8) or,
better, do the following:

   def checkPassword(self, storedPassword, password):
       salt = storedPassword[:len(storedPassword)-40]
       return storedPassword == self.encodePassword(password, salt)

That'll capture any salt length as the sha.hexdigest output is always
40 characters long.

Martijn Pieters
Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to