Commit 31e1d384 authored by Tres Seaver's avatar Tres Seaver

Collector #2039: '_authUserPW' choked on passwords containing colons.

parent bd5f1829
......@@ -6,26 +6,21 @@ Zope Changes
To-do
- Reenable C permission roles by implementing recent Python
changes in C, brining the Python and C implementations back in
sync. See lib/python/AccessControl/PermissionRole.py.
- Add cyclic-garbage collection support to C extension classes,
especially to acquisition wrappers.
- Reenable C Zope security policy by implementing recent Python
changes in C, bringing the Python and C implementations back in
sync. See lib/python/AccessControl/ZopeSecurityPolicy.py.
- Change acquisition wrappers to implement the descr get slot
directly, thus speeding the use of the slot.
- Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8
N.B: ExtensionClassType already declares that it supports GC
(via the Py_TPFLAGS_HAVE_GC flag), but does not appear to conform
to the rules for such a type laid out in the Python docs:
http://docs.python.org/api/supporting-cycle-detection.html
After Zope 2.8.6
Bugs fixed
- Collector #2039: 'ZPublisher.HTTPRequest.HTTPRequest._authUserPW'
choked on passwords which contained colons.
- Missing import of NotFound in webdav.Resource.
Zope 2.8.6 (2006/02/25)
......
......@@ -1333,7 +1333,7 @@ class HTTPRequest(BaseRequest):
if auth[:6].lower() == 'basic ':
if base64 is None: import base64
[name,password] = \
base64.decodestring(auth.split()[-1]).split(':')
base64.decodestring(auth.split()[-1]).split(':', 1)
return name, password
def taintWrapper(self, enabled=TAINTING_ENABLED):
......
import unittest
from urllib import quote_plus
class AuthCredentialsTestsa( unittest.TestCase ):
def _getTargetClass(self):
from ZPublisher.HTTPRequest import HTTPRequest
return HTTPRequest
def _makeOne(self, stdin=None, environ=None, response=None, clean=1):
if stdin is None:
from StringIO import StringIO
stdin = StringIO()
if environ is None:
environ = {}
if 'SERVER_NAME' not in environ:
environ['SERVER_NAME'] = 'http://localhost'
if 'SERVER_PORT' not in environ:
environ['SERVER_PORT'] = '8080'
if response is None:
class _FauxResponse(object):
_auth = None
response = _FauxResponse()
return self._getTargetClass()(stdin, environ, response, clean)
def test__authUserPW_simple( self ):
import base64
user_id = 'user'
password = 'password'
encoded = base64.encodestring( '%s:%s' % ( user_id, password ) )
auth_header = 'basic %s' % encoded
environ = { 'HTTP_AUTHORIZATION': auth_header }
request = self._makeOne( environ=environ )
user_id_x, password_x = request._authUserPW()
self.assertEqual( user_id_x, user_id )
self.assertEqual( password_x, password )
def test__authUserPW_with_embedded_colon( self ):
# http://www.zope.org/Collectors/Zope/2039
import base64
user_id = 'user'
password = 'embedded:colon'
encoded = base64.encodestring( '%s:%s' % ( user_id, password ) )
auth_header = 'basic %s' % encoded
environ = { 'HTTP_AUTHORIZATION': auth_header }
request = self._makeOne( environ=environ )
user_id_x, password_x = request._authUserPW()
self.assertEqual( user_id_x, user_id )
self.assertEqual( password_x, password )
class RecordTests( unittest.TestCase ):
def test_repr( self ):
......@@ -622,6 +687,7 @@ class RequestTests( unittest.TestCase ):
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test'))
suite.addTest(unittest.makeSuite(RecordTests, 'test'))
suite.addTest(unittest.makeSuite(ProcessInputsTests, 'test'))
suite.addTest(unittest.makeSuite(RequestTests, 'test'))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment