Commits

Sylvain Hellegouarch  committed 7d7e165

Basic encryption now defaults to md5 if not provided. It means that by default passwords should be stored encrypted on the server.

  • Participants
  • Parent commits 2f8d2f3

Comments (0)

Files changed (2)

File cherrypy/lib/auth.py

+import md5
 import cherrypy
 
 from httpauth import parseAuthorization, checkResponse, basicAuth, digestAuth
             raise cherrypy.HTTPError(400, 'Bad Request')
 
         if not encrypt:
-            encrypt = lambda x: x
+            encrypt = lambda x: md5.new(x).hexdigest()
 
         if callable(users):
             users = users() # expect it to return a dictionary
     realm: a string containing the authentication realm.
     users: a dict of the form: {username: password} or a callable returning a dict.
     encrypt: callable used to encrypt the password returned from the user-agent.
+             if None it defaults to a md5 encryption.
     """
     if check_auth(users, encrypt):
         return

File cherrypy/test/test_httpauth.py

             return "This is protected by Basic auth."
         index.exposed = True
 
-    def md5_encrypt(data):
-        return md5.new(data).hexdigest()
-
     def fetch_users():
         return {'test': 'test'}
 
                         'tools.digestauth.users': fetch_users},
             '/basic': {'tools.basicauth.on': True,
                        'tools.basicauth.realm': 'localhost',
-                       'tools.basicauth.users': {'test': md5_encrypt('test')},
-                       'tools.basicauth.encrypt': md5_encrypt}}
+                       'tools.basicauth.users': {'test': md5.new('test').hexdigest()}}}
     root = Root()
     root.digest = DigestProtected()
     root.basic = BasicProtected()