Ticket #788 (enhancement)
Opened 5 months ago
Last modified 5 months ago
Suggestion for enhancement of _checkBasicResponse()
Status: closed (fixed)
| Reported by: | fischer@snom.com | Assigned to: | lawouach |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: |
I would like to suggest an enhancement of _checkBasicResponse() as shown by the following diff:
--- a/PyLib/CherryPy-3.1b1-py2.5.egg/cherrypy/lib/httpauth.py
+++ b/PyLib/CherryPy-3.1b1-py2.5.egg/cherrypy/lib/httpauth.py
@@ -309,7 +309,7 @@ def _checkDigestResponse(auth_map, password,
method = "GET", A1 = None, **kwargs
return response == auth_map["response"]
def _checkBasicResponse (auth_map, password, method='GET',
encrypt=None, **kwargs):
- return encrypt(auth_map["password"]) == password
+ return encrypt(auth_map["password"], auth_map["username"]) ==
password
AUTH_RESPONSES = {
"basic": _checkBasicResponse,
The addition of a second parameter providing the user name to encrypt() would ease the life of cherrypy users writing an encryption function for basic http authentication. Because sometimes the encryption function needs additional information on how to encrypt the password, for example think about encrypting a password like Unix/ Linux does:
crypt.crypt(password, salt)
in which salt is the encrypted password which cannot guessed in the encryption function unless additional information is available like the corresponding user name.
Best regards, Sven
Change History
02/18/08 12:16:22: Modified by lawouach
- status changed from new to closed.
- resolution set to fixed.
Fixed in [1889] for the CP 3.0.x branch and in [1890] for the 3.1.x branch (current trunk). This should keep backward compatibility for previous code using encrypt callables that expect only the password.