[reportlab-users] Python 3.6.0 & reportlab
Glenn Linderman
v+python at g.nevcal.com
Tue Jan 3 05:26:44 EST 2017
On 1/3/2017 1:35 AM, Robin Becker wrote:
> Hi Glenn,
>
> for what it's worth I find that I can download and start to install
> reportlab with python 3.6 windows x64 frm
> https://www.reportlab.com/pypi, but the install fails because there
> are no pre-built pillow wheels as yet. My compile failed with a
> libjpeg missing error. So as of now your issue remains unsolved.
Yes, I had to install pillow from gohlke's web site before I could
successfully install reportlab from the downloaded wheel.
But the authentication error prevented me from ever starting to download
reportlab, to do a compile step for pillow along the way.
>
> I just wonder if you have an obscure username/password which could
> blow this code up
>
> # check HTTP auth credentials
> auth = request.META.get('HTTP_AUTHORIZATION','').split()
> if len(auth)==2 and auth[0]:
> # only basic auth is supported
> if auth[0].lower() == "basic":
> u, p = auth[1].decode('base64').split(':')
> user = authenticate(username=u, password=p)
>
>
> I guess the split is the most likely to be the culprit so ':' is bad
> in passwords usernames etc etc.
No : in password or username or email address used as username. It is
all ASCII characters, containing all of upper case, lower case, digits,
and special characters. So it is obscure enough, but not probably
enough to blow up base64 or split(':').
The password and username work to login to the web site; and I'm pretty
sure that months ago I installed reportlab using pip... to Python
3.5.x. This mailing list archive would have the date; at that time, I
couldn't figure out how to create a username/password pair, and had to
ask. That's when I made the username/password, and it worked, and then
I never used it again until now.
One hopes that your decode('base64') means that pip is encoding base64.
One hopes that in spite of your comment that says HTTP auth credentials,
that the connection is actually HTTPS.
One should probably put a limit parameter of 1 on the split, to only
split once, that way, while : would not be permitted in username, it
could be permitted in passwords.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20170103/ed6efdc3/attachment.html>
More information about the reportlab-users
mailing list