On Mon, 2007-01-01 at 08:36 -0800, Ryan Roth wrote: > Here is a more polite way of sending the patch, sorry
No problem. However the patch does need some work: > +password = crypt(password, '$1$'+ 'saltedflavor') You're using a fixed salt, which rather defeats the purpose of a salt. You should derive the salt from /dev/urandom. (man crypt for details on the legal values for salt.) > +password = md5.new(password) This is unnecessary, and in fact if you use a random salt, cannot be done at all. The value returned by crypt() is suitable for writing out directly to the file. > print 'auth_user(self, username=\"%s\", password=\"%s\")' % > (username, '******') > realpass = config.WWW_USERS.get(username) > - if not realpass: > - md5user = md5.new(username + password) > - realpass = > config.WWW_USERS.get(base64.b32encode(md5user.digest())) > - md5pass = md5.new(password + username) > - password = base64.b32encode(md5pass.digest()) > + md5pass = md5.new(password) > if realpass == password: > return True > + elif realpass == b16encode(md5pass.digest()): > + return True Hmm, did you test this? I can't figure out how this is supposed to work. Am I right in assuming that the user supplied password is the variable password, and realpass is what's written to the config file (as generated by the passwd helper)? (realpass variable name ought to be changed to cryptpass.) In this case the password helper stored the md5 hash of the crypted version of the password, and this is compared to the md5 of the literal password. Unless I'm missing something there's no way this can work. In any case the right approach is to get rid of all the md5 stuff, generate a random salt from /dev/urandom in the password helper and write out the output generated by crypt(). Then in web_types.py, parse the salt from realpass, feed that into crypt() along with password, and compare the return value with realpass. Thanks, Jason. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
