|
Martin Pool
mbp at samba.org
Wed Sep 25 18:26:47 EST 2002
The mod_python 2.7.8 Publisher assumes that it will only ever be used
with Basic authentication. It always returns "400 Bad Request" if it
is ever used inside a directory authenticated by Apache's mod_ntlm,
which uses the Authorization header with a different format. I
suspect it would fail with digest authentication as well.
This patch makes the publisher adhere more closely to the RFC2617
specification by checking the authentication scheme name before trying
to parse the header.
If this could go into 2.7.9 I would be happy.
Index: publisher.py
===================================================================
--- publisher.py
+++ publisher.py 2002-09-25 17:23:05.000000000 +1000
@@ -189,6 +189,29 @@
else:
return apache.HTTP_INTERNAL_SERVER_ERROR
+
+def _parse_authentication(req):
+ """Return (username, password) from the Authorization header.
+
+ This only handles HTTP Basic (RFC2617) authentication. In at
+ least two other interesting cases, it is not possible for
+ mod_python to know the password, because it is not included in the
+ request. For authentication schemes other than Basic, (None,
+ None) is returned.
+
+ May raise an exception if the authorization is invalid in some way.
+ """
+ s = req.headers_in["Authorization"]
+ scheme, rest = string.split(s, None, 1)
+ if string.lower(scheme) != 'basic':
+ return None, None
+
+ s = base64.decodestring(rest)
+ user, passwd = string.split(s, ":", 1)
+ return user, passwd
+
+
+
def process_auth(req, object, realm="unknown", user=None, passwd=None):
found_auth, found_access = 0, 0
@@ -202,9 +225,7 @@
# once and the are received as arguments
if not user and req.headers_in.has_key("Authorization"):
try:
- s = req.headers_in["Authorization"][6:]
- s = base64.decodestring(s)
- user, passwd = string.split(s, ":", 1)
+ user, passwd = _parse_authentication(req)
except:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
--
Martin
|