[csw-devel] SF.net SVN: gar:[20556] csw/mgar/gar/v2/lib

wahwah at users.sourceforge.net wahwah at users.sourceforge.net
Mon Apr 1 00:32:35 CEST 2013 

Revision: 20556
          http://gar.svn.sourceforge.net/gar/?rev=20556&view=rev
Author:   wahwah
Date:     2013-03-31 22:32:35 +0000 (Sun, 31 Mar 2013)
Log Message:
-----------
pkgdb-web: Don't try to access HTTP_AUTHORIZATION

We only need the user name and there's a better way to get it, without
exposing user's password to the script.

Modified Paths:
--------------
    csw/mgar/gar/v2/lib/python/rest.py
    csw/mgar/gar/v2/lib/web/releases_web.py

Modified: csw/mgar/gar/v2/lib/python/rest.py
===================================================================
--- csw/mgar/gar/v2/lib/python/rest.py	2013-03-31 22:27:43 UTC (rev 20555)
+++ csw/mgar/gar/v2/lib/python/rest.py	2013-03-31 22:32:35 UTC (rev 20556)
@@ -120,7 +120,7 @@
     """Set basic HTTP auth options on given Curl object."""
     if self.username:
       logging.debug("Using basic AUTH for user %s", self.username)
-      c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_ANY)
+      c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
       c.setopt(pycurl.USERPWD, "%s:%s" % (self.username, self.password))
     else:
       logging.debug("User and password not set, not using HTTP AUTH")

Modified: csw/mgar/gar/v2/lib/web/releases_web.py
===================================================================
--- csw/mgar/gar/v2/lib/web/releases_web.py	2013-03-31 22:27:43 UTC (rev 20555)
+++ csw/mgar/gar/v2/lib/web/releases_web.py	2013-03-31 22:32:35 UTC (rev 20556)
@@ -151,7 +151,7 @@
     if catrel_name not in CAN_UPLOAD_TO_CATALOGS:
       # Updates via web are allowed only for the unstable catalog.
       # We should return an error message instead.
-      raise web.forbidden()
+      raise web.forbidden('Not allowed to upload to %s' % catrel_name)
     try:
       if arch_name == 'all':
         raise checkpkg_lib.CatalogDatabaseError(
@@ -191,13 +191,8 @@
           srv4_to_remove = pkg_in_catalog.srv4file
           c.RemoveSrv4(srv4_to_remove, osrel_name, arch_name, catrel_name)
 
-      # Retrieving authentication data from the HTTP environment.
-      # If the auth data isn't there, this code will fail.
-      auth = web.ctx.env.get('HTTP_AUTHORIZATION')
-      if not auth:
-        raise web.forbidden()
-      auth = re.sub('^Basic ','',auth)
-      username, password = base64.decodestring(auth).split(':')
+      # Retrieving logged in user name from the HTTP environment.
+      username = web.ctx.env.get('REMOTE_USER')
 
       c.AddSrv4ToCatalog(srv4, osrel_name, arch_name, catrel_name, who=username)
       web.header(

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the devel mailing list