Mercurial > p > roundup > code

diff roundup/roundupdb.py @ 4480:1613754d2646

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix first part of Password handling security issue2550688 (thanks Joseph Myers for reporting and Eli Collins for fixing) Small change against original patch: We still accept plaintext passwords (in known_schemes) when parsing encrypted password (e.g. from database). This way existing databases with plaintext passwords continue to work (I don't know of any, this would need patching on the users side) and all regression tests pass.
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Thu, 14 Apr 2011 12:24:59 +0000
parents 9d37875416c3
children 29576edb45d5
line wrap: on
line diff
--- a/roundup/roundupdb.py	Thu Apr 14 09:21:23 2011 +0000
+++ b/roundup/roundupdb.py	Thu Apr 14 12:24:59 2011 +0000
@@ -103,8 +103,7 @@
             elif isinstance(proptype, hyperdb.Interval):
                 props[propname] = date.Interval(value)
             elif isinstance(proptype, hyperdb.Password):
-                props[propname] = password.Password()
-                props[propname].unpack(value)
+                props[propname] = password.Password(encrypted=value)
 
         # tag new user creation with 'admin'
         self.journaltag = 'admin'
@@ -241,7 +240,7 @@
                 user or a user who has already seen the message.
                 Also check permissions on the message if not a system
                 message: A user must have view permission on content and
-                files to be on the receiver list. We do *not* check the 
+                files to be on the receiver list. We do *not* check the
                 author etc. for now.
             """
             allowed = True
Roundup Issue Tracker: http://roundup-tracker.org/