diff options
author | Richard Jones <richard@mechanicalcat.net> | 2013-07-12 09:55:06 +1000 |
---|---|---|
committer | Richard Jones <richard@mechanicalcat.net> | 2013-07-12 09:55:06 +1000 |
commit | 456a1d2782f6224079079ec7730d3547ef4f09d2 (patch) | |
tree | 83be152c11a9bc0eec483a638749eba1945eae0b | |
parent | 28f1006d60c998b686537efaf704fb71b7bee982 (diff) | |
download | decorator-456a1d2782f6224079079ec7730d3547ef4f09d2.tar.gz |
a few places where user-supplied username should be matched without case-sensitivity
-rw-r--r-- | store.py | 18 | ||||
-rw-r--r-- | webui.py | 6 |
2 files changed, 16 insertions, 8 deletions
@@ -1572,15 +1572,20 @@ class Store: return otk _User = FastResultRow('name password email gpg_keyid last_login!') - def get_user(self, name): + def get_user(self, name, case_sensitive=True): ''' Retrieve info about the user from the database. Returns a mapping with the user info or None if there is no such user. ''' cursor = self.get_cursor() - safe_execute(cursor, '''select name, password, email, gpg_keyid, last_login - from users where name=%s''', (name,)) + if case_sensitive: + sql = '''select name, password, email, gpg_keyid, last_login + from users where name=%s''' + else: + sql = '''select name, password, email, gpg_keyid, last_login + from users where lower(name)=lower(%s)''' + safe_execute(cursor, , (name,)) return self._User(None, cursor.fetchone()) def get_user_by_email(self, email): @@ -1686,11 +1691,14 @@ class Store: safe_execute(self.get_cursor(), "delete from rego_otk where otk=%s", (otk,)) - def get_otk(self, name): + def get_otk(self, username): ''' Retrieve the One Time Key for the user. + + Username must be a case-sensitive match. ''' cursor = self.get_cursor() - safe_execute(cursor, "select otk from rego_otk where name=%s", (name, )) + safe_execute(cursor, 'select otk from rego_otk where name=%s', + (username, )) res = cursor.fetchone() if res is None: return '' @@ -662,7 +662,7 @@ class WebUI: return # Fetch the user from the database - user = self.store.get_user(un) + user = self.store.get_user(un, case_sensitive=False) # Verify the hash, and see if it needs migrated ok, new_hash = self.config.passlib.verify_and_update(pw, user["password"]) @@ -2995,12 +2995,12 @@ class WebUI: self.write_template("password_reset.pt", title="Request password reset", retry=True) - user = self.store.get_user(name) + user = self.store.get_user(name, case_sensitive=False) # typically other systems would not indicate the username is invalid # but in PyPI's case the username list is public so this is more # user-friendly with no security penalty if not user: - self.fail('user name unknown to me') + self.fail('user "%s" unknown to me' % name) return # existing registration OTK? |