summaryrefslogtreecommitdiff
path: root/paste
Commit message (Collapse)AuthorAgeFilesLines
* Import StringIO so it can be used.stringiomatt2013-01-281-0/+1
|
* Merged in mitchellrj/paste/double_slash_at_start_of_path_fix (pull request #10)Ian Bicking2012-08-172-20/+72
|\
| * auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-051-8/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md5`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate_digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. Update (based Ian's comments): The algorithm can also be specified as a string referring to the algorithm known to hashlib (otherwise AttributeError will be raised). Example session I used to check it works as expected (longish): >>> import sys; sys.path.append('../..') >>> from hashlib import sha256, sha512 >>> execfile('auth_tkt.py') >>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value() '39fecb1395af5285232be390eba0eed34f5518c8me!' >>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value() 'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \ ... .cookie_value() 'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \ ... .cookie_value() 'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value() 'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \ ... .cookie_value() '9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \ ... .cookie_value() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 107, in __init__ self.digest_algo = getattr(hashlib, digest_algo) AttributeError: 'module' object has no attribute 'foo' >>> >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0') (1330977060, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \ ... .cookie_value(),'0.0.0.0', digest_algo='md5') (1330977096, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha256) (1330977115, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha512) (1330977125, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 179, in parse_ticket expected=(expected, digest)) __main__.BadTicket: Digest signature is not correct [1] http://linux.die.net/man/3/mod_auth_tkt
| * auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-011-14/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. [1] http://linux.die.net/man/3/mod_auth_tkt
| * Fix digest authentication (it was picking up commas inside of the digest ↵Toshio Kuratomi2011-12-211-4/+29
| | | | | | | | auth values)
* | Fixed parsing of URL paths starting with multiple slashes.double_slash_at_start_of_path_fixRichard Mitchell2012-08-021-1/+2
|/
* Always wrap wsgi.input with LimitedLengthFile, even when using the ↵Ian Bicking2011-08-171-9/+8
| | | | ContinueHook. Also always use ContinueHook when there is Expect: 100-Continue, even if the server is supposed to be HTTP/1.0 (because the client wouldn't know the server version when it sends the request; curl notable stalls waiting for a continue)
* Add fix to make digest auth with internet explorer 8 (and possibly other ↵milinnovations_andreas2010-09-291-2/+2
| | | | versions)
* Fix #444, egg:Paste#cgi should work nowIan Bicking2010-09-281-0/+1
|
* Fix #443: url_unquote undefinedIan Bicking2010-09-161-1/+14
|
* Automated merge with ssh://bitbucket.org/ianb/pasteIan Bicking2010-09-145-17/+31
|\
| * Just a bit more paranoia in quoting comments, though I wasn't able to ↵Ian Bicking2010-09-142-2/+9
| | | | | | | | reproduce any actual issue
| * Allow server_address tuples that are longer (specifically for IPv6 support: ↵Ian Bicking2010-09-021-5/+4
| | | | | | | | http://trac.pythonpaste.org/pythonpaste/ticket/275)
| * Catch cookie errors when parsing cookies ↵Ian Bicking2010-09-021-3/+9
| | | | | | | | (http://trac.pythonpaste.org/pythonpaste/ticket/189)
| * note return value of form.submitIan Bicking2010-09-021-7/+9
| |
* | Fix test broken by 27a36b3e1843 (for ↵Taavi Burns2010-09-091-1/+1
|/ | | | http://trac.pythonpaste.org/pythonpaste/ticket/328)
* avoid deprecation warnings when using wdg_validateIan Bicking2010-09-021-6/+6
|
* fixes for cgiapp on Windows (http://trac.pythonpaste.org/pythonpaste/ticket/382)Ian Bicking2010-09-021-2/+3
|
* Coerce thread id to a long, might fix problems in Ubuntu: ↵Ian Bicking2010-09-021-3/+3
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/416
* Do not set Content-Encoding to 'None' ↵Ian Bicking2010-09-021-2/+7
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/427)
* A probably incomplete fix for ↵Ian Bicking2010-09-021-2/+3
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/328 -- quote the path before checking the digest. May not recreate the original quoting, but at least it is more correct than simply appending SCRIPT_NAME and PATH_INFO, which are definitely not quoted.
* Always return something from start_response, even if we don't plan to ↵Ian Bicking2010-09-021-3/+7
| | | | actually use the written response (because it will be forwarded). Might fix: http://trac.pythonpaste.org/pythonpaste/ticket/166
* Get rid of misused .remote() method (should have been .delete()): ↵Ian Bicking2010-09-021-2/+2
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/310
* Improve errors when fetching an error page: ↵Ian Bicking2010-09-022-43/+54
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/123
* Add default argument to paste.response.HeaderDict.pop (to make it more like ↵Ian Bicking2010-09-011-6/+6
| | | | a normal dict): http://trac.pythonpaste.org/pythonpaste/ticket/279
* Catch a case where .objects doesn't exist ↵Ian Bicking2010-09-011-57/+61
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/408)
* Quote usernames in auth_tkt tickets ↵Ian Bicking2010-09-011-16/+19
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/380)
* Use X-Forwarded-For in translogger: ↵Ian Bicking2010-09-011-1/+6
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/412 -- also news for last commits
* Fix http://trac.pythonpaste.org/pythonpaste/ticket/318 -- handle zero-length ↵Ian Bicking2010-09-011-1/+1
| | | | responses in gzip middleware
* Fix http://trac.pythonpaste.org/pythonpaste/ticket/398 -- properly reject ↵Ian Bicking2010-09-011-1/+1
| | | | dates that have out-of-range values
* Automated merge with ssh://bitbucket.org/ianb/pasteIan Bicking2010-08-201-6/+10
|\
| * Fix problem with CGI apps that don't give a status message, and which mix \n ↵Ian Bicking2010-08-201-6/+10
| | | | | | | | and \r\n in their headers
* | TypoChristoph Zwerschke2010-08-191-1/+1
| |
* | Added some more test cases to test_mimeparse that I have found here:Christoph Zwerschke2010-08-191-4/+6
| | | | | | | | | | http://code.google.com/p/mimeparse/source/browse/trunk/testdata.json Also added a link to the project upstream.
* | Minor simplification.Christoph Zwerschke2010-08-191-8/+4
| |
* | Added unittests for util.mimeparse and made the module more robust and ↵Christoph Zwerschke2010-08-191-49/+65
|/ | | | | | somewhat faster. This also closes tickets #290, #330, #370 and #381.
* add a missing desired_matches function to mimeparse (was removed upstream, ↵Ian Bicking2010-06-231-11/+34
| | | | but still used in paste)
* Fix XSS attacks as reported by Tim WintleIan Bicking2010-06-153-17/+22
|
* fix exception catching syntaxIan Bicking2010-06-071-38/+38
|
* Make sure all necessary media files come with evalexceptionIan Bicking2010-04-202-6/+7834
|
* remove directory name from 404 errorsIan Bicking2010-03-311-4/+1
|
* update mimeparseIan Bicking2010-03-311-97/+39
|
* do a proper read with 100 Continueianb2009-09-021-1/+1
|
* Paste: fix Ticket #299maluke2009-07-012-1/+3
|
* remove spurious printianb2009-06-091-1/+0
|
* Add a warning about the unused warning_level parameterianb2009-05-051-9/+4
|
* typo in docstringianb2009-05-051-1/+1
|
* fix that last commitianb2009-04-241-1/+1
|
* Avoid some unicode errors in httpexceptionsianb2009-04-241-7/+9
|
* Fix the auth_tkt middleware so it doesn't give exceptions when the token is badianb2009-03-071-9/+9
|
View Lorry Controller Status