Bug in HTTP Basic Auth
18 views
Skip to first unread message
jimmy
Oct 22, 2012, 6:03:08 PM10/22/12
to Paste Users
I couldn't get to your trac instance. (http://pythonpaste.org/trac/
report) redirects to (http://trac.pythonpaste.org/pythonpaste/report)
which gives a 502 Bad Gateway response.
I am using RhodeCode (v1.4.4) (http://rhodecode.org/) which can use
Paste. I have paste v1.7.5.1 installed (in a virtualenv on solaris 11
FWIW). When accessing a repo using HTTP basic authentication in the
URL with mercurial on the command line:
http://user:pass...@example.com/repo -- Everything works fine,
authentication passes and the action proceeds
http://example.com/repo -- I get prompted to input username and then
password, everything proceeds fine
http://us...@example.com/repo -- I do not get prompted for password.
Instead an exception is thrown and the traceback leads to:
File "/home/admin/rhode-virt/lib/python2.6/site-packages/paste/auth/
basic.py", line 48, in authenticate
username, password = auth.split(':', 1)
ValueError: need more than 1 value to unpack
So it seems to not handle the case when the username is provided but
the password is not. Applying this diff seems to fix it:
--- basic.py 2012-10-23 10:28:31.000000000 +1300
+++ basic.py.1.7.5.1.FIXED 2012-10-19 19:50:46.000000000 +1300
@@ -45,7 +45,11 @@
if 'basic' != authmeth.lower():
return self.build_authentication()
auth = auth.strip().decode('base64')
- username, password = auth.split(':', 1)
+ if ':' in auth:
+ username, password = auth.split(':', 1)
+ else:
+ username = auth
+ password = None
if self.authfunc(environ, username, password):
return username
return self.build_authentication()
report) redirects to (http://trac.pythonpaste.org/pythonpaste/report)
which gives a 502 Bad Gateway response.
I am using RhodeCode (v1.4.4) (http://rhodecode.org/) which can use
Paste. I have paste v1.7.5.1 installed (in a virtualenv on solaris 11
FWIW). When accessing a repo using HTTP basic authentication in the
URL with mercurial on the command line:
http://user:pass...@example.com/repo -- Everything works fine,
authentication passes and the action proceeds
http://example.com/repo -- I get prompted to input username and then
password, everything proceeds fine
http://us...@example.com/repo -- I do not get prompted for password.
Instead an exception is thrown and the traceback leads to:
File "/home/admin/rhode-virt/lib/python2.6/site-packages/paste/auth/
basic.py", line 48, in authenticate
username, password = auth.split(':', 1)
ValueError: need more than 1 value to unpack
So it seems to not handle the case when the username is provided but
the password is not. Applying this diff seems to fix it:
--- basic.py 2012-10-23 10:28:31.000000000 +1300
+++ basic.py.1.7.5.1.FIXED 2012-10-19 19:50:46.000000000 +1300
@@ -45,7 +45,11 @@
if 'basic' != authmeth.lower():
return self.build_authentication()
auth = auth.strip().decode('base64')
- username, password = auth.split(':', 1)
+ if ':' in auth:
+ username, password = auth.split(':', 1)
+ else:
+ username = auth
+ password = None
if self.authfunc(environ, username, password):
return username
return self.build_authentication()
Reply all
Reply to author
Forward
0 new messages