Quantcast

[issue2550933] Typing mismatched password on user display results in traceback.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[issue2550933] Typing mismatched password on user display results in traceback.

John Rouillard

New submission from John Rouillard:

If you go to  the edit for for a user e.g. tracker/user3 and type in two
different passwords for the password fields, you get a traceback:

   <type 'exceptions.AttributeError'>: 'str' object has no attribute
'dummystr'

   Debugging information follows

    While evaluating the standard:'context/history' expression on line 163


In cgi/templating.py PasswordHTMLProperty::plain calls:

        if isinstance(self._value, hyperdb.Password):
            value = self._value.dummystr()
        else:
            value = self._('[hidden]')
        if escape:
            value = cgi.escape(value)

I think the intent is to hide the hashed password but display the
schema. I'll bet this worked until the latest changes to better
preserve form data when there is an error. The string value assigned
to the password field is now assigned to _value. I think it used to
initialize _value from the password object in the database.

The password object (via JournalPassword) has a dummystr that represents
the password using the scheme used to encrypt the password and then displays
a placeholder for the encrypted password.

I can fix this by changing the code above to:

       if self._value is None:
            return ''
        if isinstance(self._value, hyperdb.Password):
            value = self._value.dummystr()
        else:
            value = self._('[hidden]')
        if escape:
            value = cgi.escape(value)
        return value

so this hides the password if it's a string.

Arguably an alternate fix could be to access the db and pull the
password from
here and call the dummystr() on it, but this only triggers when people
are changing
the password and the password field is masked so why waste the time
doing that.

I am not sure when the self._value.dummystr() code would be triggered. I
guess if
somebody had a custom index page that displayed the password field it
could be shown.

For history (and in case this helps others understand what is happening
if I got it wrong)
full traceback of the failure:

Traceback (most recent call last):
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/client.py",
line 1227, in renderContext
    result = pt.render(self, None, None, **args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/engine_zopetal.py",
line 92, in render
    getEngine().getContext(c), output, tal=1, strictinsert=0)()
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 192, in __call__
    self.interpret(self.program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 666, in do_useMacro
    self.interpret(macro)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 411, in do_optTag_tal
    self.do_optTag(stuff)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 396, in do_optTag
    return self.no_tag(start, program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 391, in no_tag
    self.interpret(program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 689, in do_defineSlot
    self.interpret(slot)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 411, in do_optTag_tal
    self.do_optTag(stuff)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 396, in do_optTag
    return self.no_tag(start, program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 391, in no_tag
    self.interpret(program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 564, in do_insertStructure_tal
    structure = self.engine.evaluateStructure(expr)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/TALES.py",
line 225, in evaluate
    return expression(self)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 193, in __call__
    return self._eval(econtext)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 188, in _eval
    return render(ob, econtext.vars)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 94, in render
    ob = ob()
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/templating.py",
line 893, in history
    current[prop_n] = prop.plain(escape=1)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/templating.py",
line 1557, in plain
    value = self._value.dummystr()
AttributeError: 'str' object has no attribute 'dummystr'

----------
assignee: rouilj
components: Web interface
messages: 5924
nosy: rouilj
priority: high
severity: urgent
status: new
title: Typing mismatched password on user display results in traceback.
type: crash
versions: devel

________________________________________________
Roundup tracker <[hidden email]>
<http://issues.roundup-tracker.org/issue2550933>
________________________________________________

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [issue2550933] Typing mismatched password on user display results in traceback.

Anthony Pankov
Hello, John.


> If you go to  the edit for for a user e.g. tracker/user3 and type in two
> different passwords for the password fields, you get a traceback:

> In cgi/templating.py PasswordHTMLProperty::plain calls:

>         if isinstance(self._value, hyperdb.Password):
>             value = self._value.dummystr()
>         else:
>             value = self._('[hidden]')
>         if escape:
>             value = cgi.escape(value)

I   don't   have  this  issue. But I use Jinja2 and my roundup-tracker
source  is slightly different:

 def plain(self, escape=0):
         """ Render a "plain" representation of the property
       """
        if not self.is_view_ok():
             return self._('[hidden]')

       if self._value is None:
             return ''
       value = self._value.dummystr()
       if escape:
             value = cgi.escape(value)
         return value

May  be  it doesn't matter. I guess that there is a value substitution
in  password input control in TAL template. I don't understand TAL so
this is only a guess.


--
Best regards,
 Anthony                          mailto:[hidden email]


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Loading...