r601 - in zope-exuserfolder/trunk/debian: . patches

Fabio Tranchitella kobold at alioth.debian.org
Fri Feb 9 13:28:36 CET 2007 

Author: kobold
Date: 2007-02-09 13:28:36 +0100 (Fri, 09 Feb 2007)
New Revision: 601

Removed:
   zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff
Modified:
   zope-exuserfolder/trunk/debian/changelog
Log:
Preparing the new release.


Modified: zope-exuserfolder/trunk/debian/changelog
===================================================================
--- zope-exuserfolder/trunk/debian/changelog	2007-02-09 12:20:24 UTC (rev 600)
+++ zope-exuserfolder/trunk/debian/changelog	2007-02-09 12:28:36 UTC (rev 601)
@@ -1,3 +1,12 @@
+zope-exuserfolder (0.50.1-7) unstable; urgency=medium
+
+  * debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff:
+    removed, after the introduction of pluggable encryption, the assumptions
+    behind the patch (that the first two characters in 'password' are the
+    encryption salt) seem to not be necesarily true anymore. (Closes: #407836)
+
+ -- Fabio Tranchitella <kobold at debian.org>  Fri,  9 Feb 2007 13:27:45 +0100
+
 zope-exuserfolder (0.50.1-6) unstable; urgency=low
 
   * debian/po/de.po: added, thanks to Helge Kreutzman. (Closes: #407486)

Deleted: zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff
===================================================================
--- zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff	2007-02-09 12:20:24 UTC (rev 600)
+++ zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff	2007-02-09 12:28:36 UTC (rev 601)
@@ -1,41 +0,0 @@
-Subject: Bug#229003: Wrong salt used for authentication in User.py
-From: Guenther Starnberger <gst at sysfrog.org>
-Date: Thu, 22 Jan 2004 08:49:24 +0100
-
-The authenticate method in User.py does use the wrong salt for authentication, 
-namely the first two characters of the username (which are also used by the 
-encryption method).
-
-This behaviour may be OK for the encryption method (of course a random salt 
-would be better), but when used in the authentication method it breaks 
-authentication when the username changes (because we don't have the right 
-salt anymore).
-
-The salt is also stored as the two first characters of the crypted password, 
-which can (should) be used as salt for the authentication instead.
-
-To do this the following line (158) in User.py:
-
-secret=self.cryptPassword(self.name, password)
-
-needs to be replaced by:
-
-secret=self.cryptPassword(people['password'][:2], password)
-
-This bugfix should be fully compatible to the old behaviour (if i haven't any 
-errors in my reasoning :).
-
-cu
-/gst
-
---- User.py	2004-02-10 19:45:45.000000000 -0500
-+++ User.py	2004-04-09 23:22:50.000000000 -0400
-@@ -157,7 +157,7 @@
- 			if remoteAuth:
- 				return remoteAuth(self.name, password)
- 			else:
--				secret=self.cryptPassword(self.name, password)
-+				secret=self.cryptPassword(people['password'][:2], password)
- 				return secret==people['password']
- 		return None
-

More information about the pkg-zope-commits mailing list