Context Navigation

Modify ↓

#13467 closed defect (fixed)

Basic authentication failing when colon characters are used in password

Reported by:	Jun Omae	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.4.4
Component:	web frontend/tracd	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:	Fix basic authention when colon characters are used in password.
API Changes:
Internal Changes:

Description

I noticed that BasicAuthentication.do_auth has an issue in splitting by colon character while working of #13464. In fact, the basic authentication is failing when colon characters are used in the password.

trac/web/auth.py

diff --git a/trac/web/auth.py b/trac/web/auth.py
index 77744babc..8363bcb0c 100644

                class BasicAuthentication(PasswordFileAuthentication):
     def do_auth(self, environ, start_response):
         header = environ.get('HTTP_AUTHORIZATION')
         if header and header.startswith('Basic'):
             auth = b64decode(header[6:]).split(':')
+            auth = b64decode(header[6:]).split(':', 1)
             if len(auth) == 2:
                 user, password = auth
                 if self.test(user, password):

Attachments (0)

Change History (3)

comment:1 by Jun Omae, 2 years ago

Owner:	set to Jun Omae
Status:	new → assigned

Proposed changes in:

comment:2 by Ryan J Ollos, 2 years ago

Looks good to me.

comment:3 by Jun Omae, 2 years ago

Release Notes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed

Thanks for the reviewing. Committed and merged in [17576-17579].

Modify Ticket

Change Properties

Summary:
Description:	I noticed that `BasicAuthentication.do_auth` has an issue in splitting by colon character while working of #13464. In fact, the basic authentication is failing when colon characters are used in the password. {{{#!diff diff --git a/trac/web/auth.py b/trac/web/auth.py index 77744babc..8363bcb0c 100644 --- a/trac/web/auth.py +++ b/trac/web/auth.py @@ -365,7 +365,7 @@ class BasicAuthentication(PasswordFileAuthentication): def do_auth(self, environ, start_response): header = environ.get('HTTP_AUTHORIZATION') if header and header.startswith('Basic'): - auth = b64decode(header[6:]).split(':') + auth = b64decode(header[6:]).split(':', 1) if len(auth) == 2: user, password = auth if self.test(user, password): }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Fix basic authention when colon characters are used in password.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jun Omae.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: