Bug#407836: zope-exuserfolder: Patch for 229003 breaks with
pluggable encryption modules
Luis Rodrigo Gallardo Cruz
rodrigo at nul-unu.com
Sun Jan 21 19:50:16 CET 2007
Package: zope-exuserfolder
Version: 0.50.1-5
Severity: important
The patch used for #229003 replaces self.name with
people['password'][:2] in User.py. Unfortunately, after the
introduction of pluggable encryption, the assumptions behind the patch
(that the first two characters in 'password' are the encryption salt)
seem to not be necesarily true anymore. Thus, the encryption routine
is being called with the wrong salt during authentication, leading to
authentication failures.
A workaround fix is to disable the patch.
A propper fix would probably require changing the encryption plugins'
authentication method to take the triple
(username, typed_password, stored_encrypted_password)
and let them decide what the salt is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20070121/5ae5f445/attachment.pgp
More information about the pkg-zope-developers
mailing list