Hi Martijn,

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Martijn Pieters
> 
> On 4/20/07, Giovannetti, Mark <[EMAIL PROTECTED]> wrote:
> > +    def checkPassword(self, storedPassword, password):
> > +        if len(storedPassword) == 48:
> > +            salt = storedPassword[0:8]
> > +        else:
> > +            salt = ''
> > +        return storedPassword == 
> self.encodePassword(password, salt)
> 
> Because you allow the passing in of an arbirtary salt on encoding, you
> should either check the salt length on encoding (ensuring len 8) or,
> better, do the following:
> 
>     def checkPassword(self, storedPassword, password):
>         salt = storedPassword[:len(storedPassword)-40]
>         return storedPassword == self.encodePassword(password, salt)
> 
> That'll capture any salt length as the sha.hexdigest output is always
> 40 characters long.
> 

I like that update.  However, it would fail authentication on
stored lengths less than 40.  Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we 
guarantee a blank '' salt, rather than the possibility of getting
some of the last hex digits of the stored password due to 
list wrap around.  Might make debugging a problem just a little 
easier, you never know.

Anyway:  

    def checkPassword(self, storedPassword, password):
        salt = storedPassword[:max(0, len(storedPassword)-40)]
        return storedPassword == self.encodePassword(password, salt)

Thanks!
Mark
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to