Commits

Sylvain Hellegouarch committed 7d7e165

Basic encryption now defaults to md5 if not provided. It means that by default passwords should be stored encrypted on the server.

Comments (0)

Files changed (2)

cherrypy/lib/auth.py

+import md5
 import cherrypy
 
 from httpauth import parseAuthorization, checkResponse, basicAuth, digestAuth
             raise cherrypy.HTTPError(400, 'Bad Request')
 
         if not encrypt:
-            encrypt = lambda x: x
+            encrypt = lambda x: md5.new(x).hexdigest()
 
         if callable(users):
             users = users() # expect it to return a dictionary
     realm: a string containing the authentication realm.
     users: a dict of the form: {username: password} or a callable returning a dict.
     encrypt: callable used to encrypt the password returned from the user-agent.
+             if None it defaults to a md5 encryption.
     """
     if check_auth(users, encrypt):
         return

cherrypy/test/test_httpauth.py

             return "This is protected by Basic auth."
         index.exposed = True
 
-    def md5_encrypt(data):
-        return md5.new(data).hexdigest()
-
     def fetch_users():
         return {'test': 'test'}
 
                         'tools.digestauth.users': fetch_users},
             '/basic': {'tools.basicauth.on': True,
                        'tools.basicauth.realm': 'localhost',
-                       'tools.basicauth.users': {'test': md5_encrypt('test')},
-                       'tools.basicauth.encrypt': md5_encrypt}}
+                       'tools.basicauth.users': {'test': md5.new('test').hexdigest()}}}
     root = Root()
     root.digest = DigestProtected()
     root.basic = BasicProtected()