Giovannetti, Mark wrote:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martijn Pieters
    def checkPassword(self, storedPassword, password):
        salt = storedPassword[:len(storedPassword)-40]
        return storedPassword == self.encodePassword(password, salt)

That'll capture any salt length as the sha.hexdigest output is always
40 characters long.

I like that update.  However, it would fail authentication on
stored lengths less than 40.  Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we guarantee a blank '' salt, rather than the possibility of getting some of the last hex digits of the stored password due to list wrap around.

Slices doesn't wrap around.

Might make debugging a problem just a little easier, you never know.

    def checkPassword(self, storedPassword, password):
        salt = storedPassword[:max(0, len(storedPassword)-40)]
        return storedPassword == self.encodePassword(password, salt)

With Python you can do things as simply as possible. :-) The expression
storedPassword[:-40] (which is equivalent to
storedPassword[:len(storedPassword)-40]) does exactly what you want:

>>> "password"[:-40]

Dmitry Vasiliev <dima at>
Zope3-dev mailing list

Reply via email to