Maintain backwards compatibility to older hashes encoded with urlsafe.

Update documentation as well.
zopefoundation · Feb 20, 2011 · 21adafa · 21adafa
1 parent 5c61d37
commit 21adafa
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -25,6 +25,9 @@ CHANGES
   way. Checking passwards against old, still 'salted' password hashes is still
   supported.
 
+- Use the standard_base64encode method instead of url_base64encode to maintain
+  compatibility with LDAP.
+
 3.6.1 (2010-05-27)
 ------------------
 

diff --git a/src/zope/password/password.py b/src/zope/password/password.py
@@ -17,6 +17,7 @@
 
 from base64 import standard_b64encode
 from base64 import standard_b64decode
+from base64 import urlsafe_b64decode
 from os import urandom
 from codecs import getencoder
 try:
@@ -152,13 +153,16 @@ def encodePassword(self, password, salt=None):
         return '{SSHA}' + standard_b64encode(hash.digest() + salt)
 
     def checkPassword(self, encoded_password, password):
-        # urlsafe_b64decode() cannot handle unicode input string. We
+        # standard_b64decode() cannot handle unicode input string. We
         # encode to ascii. This is safe as the encoded_password string
         # should not contain non-ascii characters anyway.
-        encoded_password = encoded_password.encode('ascii')
-        byte_string = standard_b64decode(encoded_password[6:])
+        encoded_password = encoded_password.encode('ascii')[6:]
+        if '_' in encoded_password or '-' in encoded_password:
+            # Encoded using urlsafe_b64encode
+            byte_string = urlsafe_b64decode(encoded_password)
+        byte_string = standard_b64decode(encoded_password)
         salt = byte_string[20:]
-        return encoded_password == self.encodePassword(password, salt)
+        return encoded_password == self.encodePassword(password, salt)[6:]
 
     def match(self, encoded_password):
         return encoded_password.startswith('{SSHA}')