CherryPy broken Basic-Auth (for non-ISO-8859-1 strings) - Fix stuck with attempt of a library clean-up

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CherryPy broken Basic-Auth (for non-ISO-8859-1 strings) - Fix stuck with attempt of a library clean-up

Paul Jaros
Hello

I'm using CherryPy @work and found out that there is a problem when a browser sends their Basic-Auth string encoded in UTF-8. I've documented the behaviour on Stackoverflow and opend a Github Issue.
Everthing felt like we could work out the issue, until it was found there was a duplicate authentication modul which needs some merging and deprecating first. 

After a month of further changes, both efforts have come to a full stop. Now two addional months later there have been no progress on any of those two issues.

I know this is opensource. I know that, generally speaking, I can create my own branch and fix it to my liking. I'm willing to provide improvements, but I have no clue what the master-plan for the de-duplication of the authentication module is and thus don't know how to help there,

I have my supriors asking how/if this issue is progessing and I can't give them a good answer. Right now I'm considering of switching framework because I fear that this is issue will never be fixed or that it will emerge to late to be useful.

My question:
Did I miss anything? Are there any options I've missed? Did anybody had similar issues?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: CherryPy broken Basic-Auth (for non-ISO-8859-1 strings) - Fix stuck with attempt of a library clean-up

Sviatoslav Sydorenko
Hi Paul,


I was going to finish that and had it half-done, but got overwhelmed with other stuff and it became out of focus. I have much more than that to do, but my capacity is limited. It's still on my list.
You can help by submitting PRs against unfinished branch to augment it incrementally: https://github.com/cherrypy/cherrypy/pull/1683


Now, what you can do in your work project as a completely valid workaround:

Regarding having you own fork: that's not really necessary, because it's a CherryPy tool you refer to and it's completely extendable and replaceable thing.
All you have to do is to create your own tool the same way and then use it instead. You could register your own toolbox or register that tool to cherrypy.tools namespace.
Once upstream is improved you can get back to use the original tool.

Ref: https://docs.cherrypy.org/en/latest/extend.html#tools


P.S. Sorry for not getting back to you, sometimes I try to postpone things to get back to them later or they just get lost. Just so you could understand: I currently have 1349 unread github notifications and who-knows-how-many of those from other sources.
P.P.S. Another thing you could do is to encourage others/yourself to share maintenance of project you clearly depend on: we would be really grateful to anyone trying to reduce our load.


Have a nice day and I hope your case will get solved for good!


субота, 21 квітня 2018 р. 17:28:56 UTC+2 користувач Paul Jaros написав:
Hello

I'm using CherryPy @work and found out that there is a problem when a browser sends their Basic-Auth string encoded in UTF-8. I've documented the behaviour on <a href="https://stackoverflow.com/questions/48009727/cherrypy-allways-decodes-basic-auth-with-iso-8859-1" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F48009727%2Fcherrypy-allways-decodes-basic-auth-with-iso-8859-1\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGOia2V9BQqOxa8ge2ubueRatq-JQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F48009727%2Fcherrypy-allways-decodes-basic-auth-with-iso-8859-1\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGOia2V9BQqOxa8ge2ubueRatq-JQ&#39;;return true;">Stackoverflow and opend a Github <a href="https://github.com/cherrypy/cherrypy/issues/1680" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1680\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEikpWIi7zssMnbKNXWYtfm9n4VUg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1680\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEikpWIi7zssMnbKNXWYtfm9n4VUg&#39;;return true;">Issue.
Everthing felt like we could work out the issue, until it was found there was a <a href="https://github.com/cherrypy/cherrypy/issues/1688" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1688\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZg8EUx8buY9GeUTCKLDbOfYlvVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1688\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZg8EUx8buY9GeUTCKLDbOfYlvVA&#39;;return true;">duplicate authentication modul which needs some merging and deprecating first. 

After a month of further changes, both efforts have come to a full stop. Now two addional months later there have been no progress on any of those two issues.

I know this is opensource. I know that, generally speaking, I can create my own branch and fix it to my liking. I'm willing to provide improvements, but I have no clue what the master-plan for the de-duplication of the authentication module is and thus don't know how to help there,

I have my supriors asking how/if this issue is progessing and I can't give them a good answer. Right now I'm considering of switching framework because I fear that this is issue will never be fixed or that it will emerge to late to be useful.

My question:
Did I miss anything? Are there any options I've missed? Did anybody had similar issues?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: CherryPy broken Basic-Auth (for non-ISO-8859-1 strings) - Fix stuck with attempt of a library clean-up

Sviatoslav Sydorenko
Paul,

I haven't seen you replying @ github, so just to repeat: it's now @ pypi in v14.2.0.
Feel free to PR any improvements/bugfixes/test coverage/docs if you feel like contributing.

Have a nice day :)

субота, 21 квітня 2018 р. 20:45:28 UTC+2 користувач Sviatoslav Sydorenko (@webknjaz) написав:
Hi Paul,


I was going to finish that and had it half-done, but got overwhelmed with other stuff and it became out of focus. I have much more than that to do, but my capacity is limited. It's still on my list.
You can help by submitting PRs against unfinished branch to augment it incrementally: <a href="https://github.com/cherrypy/cherrypy/pull/1683" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fpull%2F1683\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHWU3w2IvELLxRsZEr3tcBi6qSBMg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fpull%2F1683\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHWU3w2IvELLxRsZEr3tcBi6qSBMg&#39;;return true;">https://github.com/cherrypy/cherrypy/pull/1683


Now, what you can do in your work project as a completely valid workaround:

Regarding having you own fork: that's not really necessary, because it's a CherryPy tool you refer to and it's completely extendable and replaceable thing.
All you have to do is to create your own tool the same way and then use it instead. You could register your own toolbox or register that tool to cherrypy.tools namespace.
Once upstream is improved you can get back to use the original tool.

Ref: <a href="https://docs.cherrypy.org/en/latest/extend.html#tools" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.cherrypy.org%2Fen%2Flatest%2Fextend.html%23tools\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5ZsGav0aOCwZqnlHGURmPuR-KLQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.cherrypy.org%2Fen%2Flatest%2Fextend.html%23tools\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5ZsGav0aOCwZqnlHGURmPuR-KLQ&#39;;return true;">https://docs.cherrypy.org/en/latest/extend.html#tools


P.S. Sorry for not getting back to you, sometimes I try to postpone things to get back to them later or they just get lost. Just so you could understand: I currently have 1349 unread github notifications and who-knows-how-many of those from other sources.
P.P.S. Another thing you could do is to encourage others/yourself to share maintenance of project you clearly depend on: we would be really grateful to anyone trying to reduce our load.


Have a nice day and I hope your case will get solved for good!


субота, 21 квітня 2018 р. 17:28:56 UTC+2 користувач Paul Jaros написав:
Hello

I'm using CherryPy @work and found out that there is a problem when a browser sends their Basic-Auth string encoded in UTF-8. I've documented the behaviour on <a href="https://stackoverflow.com/questions/48009727/cherrypy-allways-decodes-basic-auth-with-iso-8859-1" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F48009727%2Fcherrypy-allways-decodes-basic-auth-with-iso-8859-1\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGOia2V9BQqOxa8ge2ubueRatq-JQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F48009727%2Fcherrypy-allways-decodes-basic-auth-with-iso-8859-1\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGOia2V9BQqOxa8ge2ubueRatq-JQ&#39;;return true;">Stackoverflow and opend a Github <a href="https://github.com/cherrypy/cherrypy/issues/1680" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1680\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEikpWIi7zssMnbKNXWYtfm9n4VUg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1680\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEikpWIi7zssMnbKNXWYtfm9n4VUg&#39;;return true;">Issue.
Everthing felt like we could work out the issue, until it was found there was a <a href="https://github.com/cherrypy/cherrypy/issues/1688" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1688\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZg8EUx8buY9GeUTCKLDbOfYlvVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fcherrypy%2Fcherrypy%2Fissues%2F1688\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEZg8EUx8buY9GeUTCKLDbOfYlvVA&#39;;return true;">duplicate authentication modul which needs some merging and deprecating first. 

After a month of further changes, both efforts have come to a full stop. Now two addional months later there have been no progress on any of those two issues.

I know this is opensource. I know that, generally speaking, I can create my own branch and fix it to my liking. I'm willing to provide improvements, but I have no clue what the master-plan for the de-duplication of the authentication module is and thus don't know how to help there,

I have my supriors asking how/if this issue is progessing and I can't give them a good answer. Right now I'm considering of switching framework because I fear that this is issue will never be fixed or that it will emerge to late to be useful.

My question:
Did I miss anything? Are there any options I've missed? Did anybody had similar issues?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.