[Tutor] CGI problem.

Mark Kels mark.kels at gmail.com
Mon Nov 8 16:32:46 CET 2004 

On Sun, 07 Nov 2004 15:41:49 -0500, Kent Johnson
<kent_johnson at skillsoft.com> wrote:
> At 09:31 PM 11/7/2004 +0200, Mark Kels wrote:
> 
> 
> >On Sun, 07 Nov 2004 12:14:45 -0500, Kent Johnson
> ><kent_johnson at skillsoft.com> wrote:
> > > Can you post an example of a clear-text password and the hash you expect to
> > > see from it?
> > > How are you generating the hashes you are comparing against?
> >
> >The password is 124 (as a string), and the hash is
> >\xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E .
> >I generated the hash that is in the file with IDLE (using the md5 module).
> 
> Aahhhhh...the light goes on....
> You did something like this in IDLE:
>  >>> import md5
>  >>> p='124'
>  >>> md5.new(p).digest()
> '\xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E'
> 
> Then you copied \xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E and
> pasted it into a file. Later you read it back from the file and compare
> with the hash you get in the CGI and they don't match.
> 
> The problem is that the string you are pasting into the file is the repr()
> of the string - it is the way the string would look if you put it into
> source code in a Python program. The characters in the string with values >
> 127 are represented with \x escapes, not as the actual character.
> 
> Whenever you work in the interactive interpreter, results can be printed in
> two different ways. If you let the interpreter print for you, it prints
> repr(value). If you explicitly use print, you get str(value). These are
> often similar, but not always. I think of repr() as the programmer's view
> of the data, and str() as the user's view.
> 
> For example, even with a simple string there is a difference:
>  >>> s='a'
>  >>> s
> 'a'
>  >>> print s
> a
>  >>> s == repr(s)
> False
> 
> Note that the first one has quotes - 'a' - while the second one is just an
> a. A small difference, but they are different. More important, for your
> problem, is that s is not equal to its repr(). How about this:
>  >>> s='ü'
>  >>> s
> '\x81'
>  >>> print s
> ü
>  >>> s == repr(s)
> False
> 
> (That's a u-umlaut, just in case it gets mangled by mail.) The first output
> looks nothing like the second. repr(s) uses \x escapes to print out the
> value in ASCII; print s prints the actual character.
> 
> OK, back to hashes...with your sample data, we have
>  >>> d = md5.new(p).digest()
>  >>> d
> '\xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E'
>  >>> print d
> + TÑç¦&±Rf=ëíF¦E
> 
> Once again, the results are very different. This shows the actual hex
> values in the hash:
>  >>> print ' '.join( [ hex(ord(c)) for c in d ] )
> 0xc8 0xff 0xe9 0xa5 0x87 0xb1 0x26 0xf1 0x52 0xed 0x3d 0x89 0xa1 0x46 0xb4 0x45
> 
> You can see that in repr(d) the characters less than 0x80 are shown
> verbatim, while characters >= 0x80 are escaped.
> 
> So, what to do? I can think of two solutions:
> - In your CGI, when you compute the hash, compare repr(hash) against what
> you find in the file.
> - Create the file with the actual hash, instead of it's repr(). If there is
> only one password in the file, you could do this from the command line,
> just open the file and write the string to it. If you have more than one
> password, you might want to write a small program to help with this.
> 
> 
> 
> Kent
> 
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
> 

I doesn't work :( ...
Here is what I did :

import cgi
import cgitb; cgitb.enable()
import md5
form = cgi.FieldStorage()
x=open("pass.txt","r")
form.getfirst("pass")
print "Content-type: text/html\n\n"
def printhtml():
   print """
      <html><body>
      <form><input name="pass" type="text"></form>
      """
def checkpass():

   filepass=x.readline() # The password in the file is already digested.
   userpass=md5.new(form.getfirst("pass")).digest()
   if repr(userpass)==filepass:
       print "OK, come in."
   else:
       print "Wrong password, try again!"

printhtml()
if form.has_key("pass"):
   checkpass()
x.close()


the result is the same (out put is always for wrong password...).

More information about the Tutor mailing list