[reportlab-users] Python 3.6.0 & reportlab

Glenn Linderman v+python at g.nevcal.com
Tue Jan 3 05:26:44 EST 2017

On 1/3/2017 1:35 AM, Robin Becker wrote:
> Hi Glenn,
> for what it's worth I find that I can download and start to install 
> reportlab with python 3.6 windows x64 frm 
> https://www.reportlab.com/pypi, but the install fails because there 
> are no pre-built pillow wheels as yet. My compile failed with a 
> libjpeg missing error. So as of now your issue remains unsolved.

Yes, I had to install pillow from gohlke's web site before I could 
successfully install reportlab from the downloaded wheel.

But the authentication error prevented me from ever starting to download 
reportlab, to do a compile step for pillow along the way.

> I just wonder if you have an obscure username/password which could 
> blow this code up
> # check HTTP auth credentials
> auth = request.META.get('HTTP_AUTHORIZATION','').split()
> if len(auth)==2 and auth[0]:
>     # only basic auth is supported
>     if auth[0].lower() == "basic":
>     u, p = auth[1].decode('base64').split(':')
>     user = authenticate(username=u, password=p)
> I guess the split is the most likely to be the culprit so ':' is bad 
> in passwords usernames etc etc.

No : in password or username or email address used as username. It is 
all ASCII characters, containing all of upper case, lower case, digits, 
and special characters.  So it is obscure enough, but not probably 
enough to blow up base64 or split(':').

The password and username work to login to the web site; and I'm pretty 
sure that months ago I installed reportlab using pip... to Python 
3.5.x.  This mailing list archive would have the date; at that time, I 
couldn't figure out how to create a username/password pair, and had to 
ask.  That's when I made the username/password, and it worked, and then 
I never used it again until now.

One hopes that your decode('base64') means that pip is encoding base64.

One hopes that in spite of your comment that says HTTP auth credentials, 
that the connection is actually HTTPS.

One should probably put a limit parameter of 1 on the split, to only 
split once, that way, while : would not be permitted in username, it 
could be permitted in passwords.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20170103/ed6efdc3/attachment.html>

More information about the reportlab-users mailing list