Skip to first unread message
Fred Nikolayevich
May 21, 2019, 11:47:01 AM5/21/19
to web...@googlegroups.com
Hi,
I have a problem with the ldap auth since I upgraded my application from web2py 2.14.6 on Python 2.7 to the current web2py 2.18.5 on Python 3.7.
In the old version when I logged in with incorrect credentials it would reload the login page:
on the new version the login form's variables are displayed in the url
I have not really changed anything in the app, only the fixed the syntax for Python 3.
I was looking through the Auth and related classes in gluon, but I cannot figure out what may have changed and I am not that knowledgeable about how html forms work to produce this behaviour.
I am generating the auth form with the basic 'form=auth()' in the user controller/view.
Besides the obvious security issue, it results in an error when I enter the correct password on the next attempt, because now 2 passwords are sent in a list in request.vars.
Any ideas?
Many thanks!
Fred
Fred Nikolayevich
May 21, 2019, 12:12:04 PM5/21/19
to web...@googlegroups.com
Ok I think I found it:
There was a change to this part in Feb 21/2019:
In gluon/tools.py in the Auth.login() method the line 2643 has been changed from
redirect(
| self.url(args=request.args, get_vars=request.get_vars, post_vars=request.post_vars), |
to
redirect(self.url(args=request.args, vars=request.vars),client_side=settings.client_side)
Marvix
Apr 28, 2020, 9:56:16 AM4/28/20
to web...@googlegroups.com
I'm experiencing the same problem.
I also tried the last version (2.19.1) and seems it still presents the same inconvenience.
I think this can be considered a serious security problem as clear mistyped password will be written on web server logs, proxies logs and so on.
There is also a secondary problem: if I type a wrong password at the first attempt, at the second one the previous password will be sent as an argument, together with the new password.
Authentication will fail even if I typed the correct one and both passwords (the wrong but also the correct one) will be written in the webserver logs in clear text.
I also tried the last version (2.19.1) and seems it still presents the same inconvenience.
I think this can be considered a serious security problem as clear mistyped password will be written on web server logs, proxies logs and so on.
There is also a secondary problem: if I type a wrong password at the first attempt, at the second one the previous password will be sent as an argument, together with the new password.
Authentication will fail even if I typed the correct one and both passwords (the wrong but also the correct one) will be written in the webserver logs in clear text.
egamarro dpu
May 25, 2020, 12:29:18 AM5/25/20
to web2py-users
I'm pretty sure Fred found the right line to fix this. Building on Fred's suggestion, I fixed it this way:
< redirect(self.url(args=request.args, vars=request.vars),client_side=settings.client_side)
> redirect(self.url(),client_side=settings.client_side)
Marvi Benedet
May 26, 2020, 11:57:46 PM5/26/20
to web...@googlegroups.com
Thanks!
It seems ok!!
hope it will be corrected soon in the official version, as it should be considered as a serious security bug.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/da40878b-c646-4ae4-973b-54f6308137ce%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages