On 4/20/07, Giovannetti, Mark <[EMAIL PROTECTED]> wrote:
+ def checkPassword(self, storedPassword, password): + if len(storedPassword) == 48: + salt = storedPassword[0:8] + else: + salt = '' + return storedPassword == self.encodePassword(password, salt)
Because you allow the passing in of an arbirtary salt on encoding, you should either check the salt length on encoding (ensuring len 8) or, better, do the following: def checkPassword(self, storedPassword, password): salt = storedPassword[:len(storedPassword)-40] return storedPassword == self.encodePassword(password, salt) That'll capture any salt length as the sha.hexdigest output is always 40 characters long. -- Martijn Pieters _______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com