Closed yedderson closed 11 years ago
Hello, can you please describe how to reproduce the issue exactly? When testing multiple logins with different passwords make sure that a logout has been done and the cookie has been removed.
Yes, here is a sample application, when you login, the password is simply ignored.
from bottle import request, route, template, default_app, run
from beaker.middleware import SessionMiddleware
from cork import Cork
app = default_app()
aaa = Cork('example_conf')
# I used this code in the 'recreate_example_conf.py' to generated the hashes
# ...
# tstamp = str(datetime.utcnow())
# username = 'root'
# password = 'pwd'
# cork._store.users[username] = {
# 'role': 'admin',
# 'hash': cork._hash(username, password),
# 'email_addr': username + '@localhost.local',
# 'desc': username + ' test user',
# 'creation_date': tstamp
# }
# ...
app = SessionMiddleware(app, {
'beaker.session.auto': True,
'beaker.session.type': 'cookie',
'beaker.session.validate_key': True,
'beaker.session.cookie_expires': True,
'beaker.session.timeout': 3600 * 24})
@route('/login', method=['GET', 'POST'])
def login():
if request.method == 'GET':
return template("""
<html>
<form method="post" action="/login">
<input name="user" required="required" type="text" placeholder="user">
<input name="password" type="password" required="required" placeholder="password">
<input type="submit" name="login" value="login">
</form>
</html>
""")
if request.method == 'POST':
username = request.POST.get('user','')
password = request.POST.get('password','')
aaa.login(username=username, password=password, success_redirect='/', fail_redirect='/login')
@route('/')
def home():
aaa.require(role='admin', fail_redirect='/login')
return 'welcome'
run(app=app, host='0.0.0.0', port=80)
I'm not having any unexpected behavior from the code you pasted. Incorrect passwords are making the login fail. However, you have no code to remove the cookie in that snippet. Try inspecting the cookie on your browser before and during the login.
I'm cleaning the cookies manually, I tested the code above on Opera, Chrome and Firefox and using root/pwd, root/abc, root/anything they all get me in.
I'm using the latest releases for beaker, cork and bottle, are you with this same config ?
Beaker==1.6.4
bottle==0.11.2
bottle-cork==0.2
and here is the details for the cookies I'm getting:
name value domain size path expire
beaker.session.id 78ef4b6864da48d3c62c5ca...3RpbWVxBUdB1CNZUYyLRHUu 127.0.0.1 197 B / Session
what can I do to help debug this code?
The library versions are very close. Can you join the #bottlepy IRC channel on Freenode? In the meantime I'll keep investigating.
Beaker 1.6.3 Bottle 0.11.3 Cork 0.2
Thanks!
Also, did you tried running the unit and functional tests? Are they all successful?
Which version of pycrypto?
bottle-cork uses cypto from beaker.
I'm using pycrypto v. 2.6
I've updated the unit and functional tests to run them on windows as well.
Beaker depends on one of Pycryptopp, NSScrypto, JCEcrypto or Crypto and he's silently failing when no one is installed. this make the whole password verification process for cork useless.
I've successfully tested with Crypto and cryptopp and because there is no dependency check when pip install beaker
the solution is to enforce dependency on Crypto for cork and add some safety checks.
On windows there is no pip install
for any of them, you can get Crypto binaries from here or pycryptopp eggs from here
thanks goes to FedericoCeratto and defnull.
I had added pycrypto dependency in my heroku-fix pull request. Really the solution is probably for beaker to either not silently fail, or to have a hard default dependency. But for cork to be useful, it may be good to just add the default pycrypto as a dependency.
@23min I've just looked into your pull request, yes you're right.
I've added a safety check in this commit: https://github.com/FedericoCeratto/bottle-cork/commit/6f0755ea2ccf53f13858c34f9a320ba75d6d3bb3
I think there is a design issue here. the randomly generated user/password hash cannot be verified against the hash already in the store, it will never match. the verification process is very wrong, if only the username is valid (eg. admin) then ANY password will grant you access.