delta/python-packages/paste.git/paste, branch stringio bitbucket.org: Obsolete (use python-packages/paste-git) Import StringIO so it can be used. 2013-01-28T16:32:18+00:00 matt matt@xcolour.net 2013-01-28T16:32:18+00:00 56379c9c08f1e28fc42055deb7b162cb942a4c46 






Merged in mitchellrj/paste/double_slash_at_start_of_path_fix (pull request #10)
2012-08-17T21:05:35+00:00

Ian Bicking
ianb@colorstudy.com

2012-08-17T21:05:35+00:00

7b0218607dc97af6d03f5397dbf17b5910fae82e












Fixed parsing of URL paths starting with multiple slashes.
2012-08-02T10:28:01+00:00

Richard Mitchell
richard.j.mitchell@gmail.com

2012-08-02T10:28:01+00:00

9fae57022f1164ea72196dd8e91f73a0463427d8












auth/auth_tkt.py: enable overriding digest algorithms
2012-03-05T20:14:08+00:00

Jan Pokorn?
jpokorny@redhat.com

2012-03-05T20:14:08+00:00

663ec52ddd568148e000f1e7d2ea65d2ec284dd5

Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly applicable
to mod_auth_tkt, which primarily relies on the security of the shared
secret rather than the strength of the hashing scheme. More paranoid users
will probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md5`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate_digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.


Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).


Example session I used to check it works as expected (longish):

>>> import sys; sys.path.append('../..')
>>> from hashlib import sha256, sha512
>>> execfile('auth_tkt.py')
>>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value()
'39fecb1395af5285232be390eba0eed34f5518c8me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value()
'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \
... .cookie_value()
'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \
... .cookie_value()
'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value()
'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \
... .cookie_value()
'9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \
... .cookie_value()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 107, in __init__
    self.digest_algo = getattr(hashlib, digest_algo)
AttributeError: 'module' object has no attribute 'foo'
>>>
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0')
(1330977060, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \
... .cookie_value(),'0.0.0.0', digest_algo='md5')
(1330977096, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value(),'0.0.0.0', digest_algo=sha256)
(1330977115, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0', digest_algo=sha512)
(1330977125, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 179, in parse_ticket
    expected=(expected, digest))
__main__.BadTicket: Digest signature is not correct


[1] http://linux.die.net/man/3/mod_auth_tkt





Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly applicable
to mod_auth_tkt, which primarily relies on the security of the shared
secret rather than the strength of the hashing scheme. More paranoid users
will probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md5`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate_digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.


Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).


Example session I used to check it works as expected (longish):

>>> import sys; sys.path.append('../..')
>>> from hashlib import sha256, sha512
>>> execfile('auth_tkt.py')
>>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value()
'39fecb1395af5285232be390eba0eed34f5518c8me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value()
'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \
... .cookie_value()
'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \
... .cookie_value()
'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value()
'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \
... .cookie_value()
'9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \
... .cookie_value()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 107, in __init__
    self.digest_algo = getattr(hashlib, digest_algo)
AttributeError: 'module' object has no attribute 'foo'
>>>
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0')
(1330977060, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \
... .cookie_value(),'0.0.0.0', digest_algo='md5')
(1330977096, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value(),'0.0.0.0', digest_algo=sha256)
(1330977115, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0', digest_algo=sha512)
(1330977125, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 179, in parse_ticket
    expected=(expected, digest))
__main__.BadTicket: Digest signature is not correct


[1] http://linux.die.net/man/3/mod_auth_tkt







auth/auth_tkt.py: enable overriding digest algorithms
2012-02-29T23:56:41+00:00

Jan Pokorn?
jpokorny@redhat.com

2012-02-29T23:56:41+00:00

531c568bd89a2e34ca3077314587e421c5867091

Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be vulnerable
to collision attacks. Such attacks are not directly applicable to
mod_auth_tkt, which primarily relies on the security of the shared secret
rather than the strength of the hashing scheme. More paranoid users will
probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.

[1] http://linux.die.net/man/3/mod_auth_tkt





Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be vulnerable
to collision attacks. Such attacks are not directly applicable to
mod_auth_tkt, which primarily relies on the security of the shared secret
rather than the strength of the hashing scheme. More paranoid users will
probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.

[1] http://linux.die.net/man/3/mod_auth_tkt







Fix digest authentication (it was picking up commas inside of the digest auth values)
2011-12-22T00:08:56+00:00

Toshio Kuratomi
toshio@fedoraproject.org

2011-12-22T00:08:56+00:00

1b75bb83f7e4a4f1ffd7d51e1b2a58469373de0d












Always wrap wsgi.input with LimitedLengthFile, even when using the ContinueHook.  Also always use ContinueHook when there is Expect: 100-Continue, even if the server is supposed to be HTTP/1.0 (because the client wouldn't know the server version when it sends the request; curl notable stalls waiting for a continue)
2011-08-17T20:39:56+00:00

Ian Bicking
ianb@colorstudy.com

2011-08-17T20:39:56+00:00

ccb6218e9c83004c343896d0d333aa346e8e58a9












Add fix to make  digest auth with internet explorer 8 (and possibly other versions)
2010-09-29T15:49:28+00:00

milinnovations_andreas
milinnovations_andreas@milinnovations.com

2010-09-29T15:49:28+00:00

f0eedebcd92b89d7149523bf7242481caddbb74a












Fix #444, egg:Paste#cgi should work now
2010-09-28T23:39:58+00:00

Ian Bicking
ianb@colorstudy.com

2010-09-28T23:39:58+00:00

ff4ed291d93736145a502ac21c8631a887aa500b












Fix #443: url_unquote undefined
2010-09-16T17:18:45+00:00

Ian Bicking
ianb@colorstudy.com

2010-09-16T17:18:45+00:00

dc8a588b82fd813876fbfd1fb68d989b9f16bc5f