launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~cjwatson/launchpad:basic-auth-password-bytes into launchpad:master

To: mp+396657@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Thu, 21 Jan 2021 13:24:23 -0000
Reply-to: mp+396657@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging ~cjwatson/launchpad:basic-auth-password-bytes into launchpad:master.

Commit message:
Treat basic auth password as bytes

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/396657

zope.publisher.http.HTTPRequest._authUserPW decodes the username and password in a basic auth header to bytes, so we must compare the password that way.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:basic-auth-password-bytes into launchpad:master.

diff --git a/lib/lp/services/webapp/authentication.py b/lib/lp/services/webapp/authentication.py
index 81a2384..c778407 100644
--- a/lib/lp/services/webapp/authentication.py
+++ b/lib/lp/services/webapp/authentication.py
@@ -69,7 +69,8 @@ class PlacelessAuthUtility:
             principal = login_src.getPrincipalByLogin(login)
             if principal is not None and principal.person.is_valid_person:
                 password = credentials.getPassword()
-                if password == config.launchpad.basic_auth_password:
+                if (password ==
+                        config.launchpad.basic_auth_password.encode('ASCII')):
                     # We send a LoggedInEvent here, when the
                     # cookie auth below sends a PrincipalIdentified,
                     # as the login form is never visited for BasicAuth.