Sylvain Hellegouarch  committed 7d7e165

Basic encryption now defaults to md5 if not provided. It means that by default passwords should be stored encrypted on the server.

  • Participants
  • Parent commits 2f8d2f3

Comments (0)

Files changed (2)

File cherrypy/lib/

+import md5
 import cherrypy
 from httpauth import parseAuthorization, checkResponse, basicAuth, digestAuth
             raise cherrypy.HTTPError(400, 'Bad Request')
         if not encrypt:
-            encrypt = lambda x: x
+            encrypt = lambda x:
         if callable(users):
             users = users() # expect it to return a dictionary
     realm: a string containing the authentication realm.
     users: a dict of the form: {username: password} or a callable returning a dict.
     encrypt: callable used to encrypt the password returned from the user-agent.
+             if None it defaults to a md5 encryption.
     if check_auth(users, encrypt):

File cherrypy/test/

             return "This is protected by Basic auth." = True
-    def md5_encrypt(data):
-        return
     def fetch_users():
         return {'test': 'test'}
                         'tools.digestauth.users': fetch_users},
             '/basic': {'tools.basicauth.on': True,
                        'tools.basicauth.realm': 'localhost',
-                       'tools.basicauth.users': {'test': md5_encrypt('test')},
-                       'tools.basicauth.encrypt': md5_encrypt}}
+                       'tools.basicauth.users': {'test':'test').hexdigest()}}}
     root = Root()
     root.digest = DigestProtected()
     root.basic = BasicProtected()