From a5b44d4376367389ace607dac977bee21d8f0acb Mon Sep 17 00:00:00 2001 From: Thierry Florac Date: Thu, 19 Dec 2013 22:29:59 +0100 Subject: [PATCH 1/3] Allow passwords containing colon(s) --- src/zope/pluggableauth/plugins/httpplugins.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zope/pluggableauth/plugins/httpplugins.py b/src/zope/pluggableauth/plugins/httpplugins.py index 6d7fab3..b455486 100644 --- a/src/zope/pluggableauth/plugins/httpplugins.py +++ b/src/zope/pluggableauth/plugins/httpplugins.py @@ -90,7 +90,7 @@ def extractCredentials(self, request): if isinstance(credentials, unicode): # No encoding needed, should be base64 string anyways. credentials = credentials.encode() - login, password = base64.b64decode(credentials).split(b':') + login, password = base64.b64decode(credentials).split(b':', 1) return {'login': login.decode('utf-8'), 'password': password.decode('utf-8')} return None From d7aa9cf08209f66a5eb590636aff39baf904574e Mon Sep 17 00:00:00 2001 From: Thierry Florac Date: Wed, 1 Jan 2014 23:59:08 +0100 Subject: [PATCH 2/3] Added unit test and RFC reference --- src/zope/pluggableauth/plugins/httpplugins.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/zope/pluggableauth/plugins/httpplugins.py b/src/zope/pluggableauth/plugins/httpplugins.py index b455486..f69ef66 100644 --- a/src/zope/pluggableauth/plugins/httpplugins.py +++ b/src/zope/pluggableauth/plugins/httpplugins.py @@ -80,6 +80,14 @@ def extractCredentials(self, request): >>> print(plugin.extractCredentials(TestRequest('/'))) None + According to RFC 2617, password can contain one or more colons; + user ID can't contain any colon. + + >>> request = TextRequest( + ... environ={'HTTP_AUTHORIZATION': u'Basic bWdyOm1ncnB3OndpdGg6Y29sb24='}) + >>> pprint(plugin.extractCredentials(request)) + {'login': u'mgr', 'password': u'mgrpw:with:colon'} + """ if not IHTTPRequest.providedBy(request): return None From 5e8ccbcf67fbbf111a661f2cd26873f291704345 Mon Sep 17 00:00:00 2001 From: Thierry Florac Date: Sat, 18 Jan 2014 11:20:15 +0100 Subject: [PATCH 3/3] Updated CHANGES.txt --- CHANGES.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES.txt b/CHANGES.txt index dad14b8..8bc2658 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -8,6 +8,9 @@ Changes - Refactored ``zope.pluggableauth.plugins.session.redirectWithComeFrom`` into a reusable function. +- Fixed: allow password containing colon(s) in HTTP basic authentication + credentials extraction plug-in, to conform with RFC2617 + 2.0.0a1 (2013-02-21) --------------------