summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Import StringIO so it can be used.stringiomatt2013-01-281-0/+1
|
* Merged in mitchellrj/paste/double_slash_at_start_of_path_fix (pull request #10)Ian Bicking2012-08-173-23/+77
|\
| * auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-051-8/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md5`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate_digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. Update (based Ian's comments): The algorithm can also be specified as a string referring to the algorithm known to hashlib (otherwise AttributeError will be raised). Example session I used to check it works as expected (longish): >>> import sys; sys.path.append('../..') >>> from hashlib import sha256, sha512 >>> execfile('auth_tkt.py') >>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value() '39fecb1395af5285232be390eba0eed34f5518c8me!' >>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value() 'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \ ... .cookie_value() 'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \ ... .cookie_value() 'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value() 'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \ ... .cookie_value() '9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \ ... .cookie_value() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 107, in __init__ self.digest_algo = getattr(hashlib, digest_algo) AttributeError: 'module' object has no attribute 'foo' >>> >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0') (1330977060, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \ ... .cookie_value(),'0.0.0.0', digest_algo='md5') (1330977096, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha256) (1330977115, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha512) (1330977125, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 179, in parse_ticket expected=(expected, digest)) __main__.BadTicket: Digest signature is not correct [1] http://linux.die.net/man/3/mod_auth_tkt
| * auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-011-14/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. [1] http://linux.die.net/man/3/mod_auth_tkt
| * Fix digest authentication (it was picking up commas inside of the digest ↵Toshio Kuratomi2011-12-211-4/+29
| | | | | | | | auth values)
| * Add files that should be included in the tarballToshio Kuratomi2011-12-211-3/+5
| |
* | Fixed parsing of URL paths starting with multiple slashes.double_slash_at_start_of_path_fixRichard Mitchell2012-08-022-1/+4
| |
* | New branch for double-slash fix.Richard Mitchell2012-08-020-0/+0
|/
* add news for last commitIan Bicking2011-08-171-0/+7
|
* Automated merge with ssh://bitbucket.org/ianb/pasteIan Bicking2011-08-171-2/+1
|\
| * update link to official dev repoJoshua Bronson2011-07-191-2/+1
| |
* | Always wrap wsgi.input with LimitedLengthFile, even when using the ↵Ian Bicking2011-08-171-9/+8
|/ | | | ContinueHook. Also always use ContinueHook when there is Expect: 100-Continue, even if the server is supposed to be HTTP/1.0 (because the client wouldn't know the server version when it sends the request; curl notable stalls waiting for a continue)
* Automated merge with https://bitbucket.org/milinnovations_andreas/paste/Ian Bicking2010-11-291-2/+2
|\
| * Add fix to make digest auth with internet explorer 8 (and possibly other ↵milinnovations_andreas2010-09-291-2/+2
| | | | | | | | versions)
* | remove old setup.cfg stuffIan Bicking2010-10-281-8/+0
|/
* Fix #444, egg:Paste#cgi should work nowIan Bicking2010-09-282-0/+6
|
* Added tag 1.7.5.1 for changeset 53a9cdc44dc0Ian Bicking2010-09-200-0/+0
|
* update versions for release1.7.5.1Ian Bicking2010-09-203-4/+4
|
* Fix #443: url_unquote undefinedIan Bicking2010-09-162-1/+19
|
* Added tag 1.7.5 for changeset 3b337deabee1Ian Bicking2010-09-140-0/+0
|
* versions for release1.7.5Ian Bicking2010-09-143-4/+4
|
* Automated merge with ssh://bitbucket.org/ianb/pasteIan Bicking2010-09-148-18/+37
|\
| * Just a bit more paranoia in quoting comments, though I wasn't able to ↵Ian Bicking2010-09-144-3/+13
| | | | | | | | reproduce any actual issue
| * Allow server_address tuples that are longer (specifically for IPv6 support: ↵Ian Bicking2010-09-021-5/+4
| | | | | | | | http://trac.pythonpaste.org/pythonpaste/ticket/275)
| * Catch cookie errors when parsing cookies ↵Ian Bicking2010-09-022-3/+11
| | | | | | | | (http://trac.pythonpaste.org/pythonpaste/ticket/189)
| * note return value of form.submitIan Bicking2010-09-021-7/+9
| |
* | Fix test broken by 27a36b3e1843 (for ↵Taavi Burns2010-09-091-1/+1
|/ | | | http://trac.pythonpaste.org/pythonpaste/ticket/328)
* avoid deprecation warnings when using wdg_validateIan Bicking2010-09-021-6/+6
|
* fixes for cgiapp on Windows (http://trac.pythonpaste.org/pythonpaste/ticket/382)Ian Bicking2010-09-021-2/+3
|
* Coerce thread id to a long, might fix problems in Ubuntu: ↵Ian Bicking2010-09-021-3/+3
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/416
* Do not set Content-Encoding to 'None' ↵Ian Bicking2010-09-021-2/+7
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/427)
* A probably incomplete fix for ↵Ian Bicking2010-09-021-2/+3
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/328 -- quote the path before checking the digest. May not recreate the original quoting, but at least it is more correct than simply appending SCRIPT_NAME and PATH_INFO, which are definitely not quoted.
* Always return something from start_response, even if we don't plan to ↵Ian Bicking2010-09-021-3/+7
| | | | actually use the written response (because it will be forwarded). Might fix: http://trac.pythonpaste.org/pythonpaste/ticket/166
* Get rid of misused .remote() method (should have been .delete()): ↵Ian Bicking2010-09-021-2/+2
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/310
* Improve errors when fetching an error page: ↵Ian Bicking2010-09-024-48/+71
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/123
* Add default argument to paste.response.HeaderDict.pop (to make it more like ↵Ian Bicking2010-09-011-6/+6
| | | | a normal dict): http://trac.pythonpaste.org/pythonpaste/ticket/279
* Catch a case where .objects doesn't exist ↵Ian Bicking2010-09-011-57/+61
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/408)
* Quote usernames in auth_tkt tickets ↵Ian Bicking2010-09-012-16/+22
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/380)
* Use X-Forwarded-For in translogger: ↵Ian Bicking2010-09-012-1/+13
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/412 -- also news for last commits
* Fix http://trac.pythonpaste.org/pythonpaste/ticket/318 -- handle zero-length ↵Ian Bicking2010-09-011-1/+1
| | | | responses in gzip middleware
* Avoid installing the testsIan Bicking2010-09-011-1/+2
|
* Fix http://trac.pythonpaste.org/pythonpaste/ticket/398 -- properly reject ↵Ian Bicking2010-09-012-1/+11
| | | | dates that have out-of-range values
* news for last couple commitsIan Bicking2010-08-201-0/+7
|
* Automated merge with ssh://bitbucket.org/ianb/pasteIan Bicking2010-08-201-6/+10
|\
| * Fix problem with CGI apps that don't give a status message, and which mix \n ↵Ian Bicking2010-08-201-6/+10
| | | | | | | | and \r\n in their headers
* | TypoChristoph Zwerschke2010-08-191-1/+1
| |
* | Added some more test cases to test_mimeparse that I have found here:Christoph Zwerschke2010-08-192-8/+66
| | | | | | | | | | http://code.google.com/p/mimeparse/source/browse/trunk/testdata.json Also added a link to the project upstream.
* | Minor simplification.Christoph Zwerschke2010-08-191-8/+4
| |
* | Added unittests for util.mimeparse and made the module more robust and ↵Christoph Zwerschke2010-08-193-51/+256
| | | | | | | | | | | | somewhat faster. This also closes tickets #290, #330, #370 and #381.
* | The reporter test never created the necessary output directory.Christoph Zwerschke2010-08-191-5/+9
|/
View Lorry Controller Status