1. Kris Hardy
  2. CherryPy


Sylvain Hellegouarch  committed 7d7e165

Basic encryption now defaults to md5 if not provided. It means that by default passwords should be stored encrypted on the server.

  • Participants
  • Parent commits 2f8d2f3
  • Branches default

Comments (0)

Files changed (2)

File cherrypy/lib/auth.py

View file
+import md5
 import cherrypy
 from httpauth import parseAuthorization, checkResponse, basicAuth, digestAuth
             raise cherrypy.HTTPError(400, 'Bad Request')
         if not encrypt:
-            encrypt = lambda x: x
+            encrypt = lambda x: md5.new(x).hexdigest()
         if callable(users):
             users = users() # expect it to return a dictionary
     realm: a string containing the authentication realm.
     users: a dict of the form: {username: password} or a callable returning a dict.
     encrypt: callable used to encrypt the password returned from the user-agent.
+             if None it defaults to a md5 encryption.
     if check_auth(users, encrypt):

File cherrypy/test/test_httpauth.py

View file
             return "This is protected by Basic auth."
         index.exposed = True
-    def md5_encrypt(data):
-        return md5.new(data).hexdigest()
     def fetch_users():
         return {'test': 'test'}
                         'tools.digestauth.users': fetch_users},
             '/basic': {'tools.basicauth.on': True,
                        'tools.basicauth.realm': 'localhost',
-                       'tools.basicauth.users': {'test': md5_encrypt('test')},
-                       'tools.basicauth.encrypt': md5_encrypt}}
+                       'tools.basicauth.users': {'test': md5.new('test').hexdigest()}}}
     root = Root()
     root.digest = DigestProtected()
     root.basic = BasicProtected()