On Jul 30, 2009, at 11:47 PM, Jonathan Lundell wrote:
>
> On Jul 30, 2009, at 11:32 PM, Bottiger wrote:
>
>>
>>> Precomputing the possible hashes for each base password requires a
>>> table of 2^60 hashes *per password*. On the other hand, a hash of a
>> single deterministic transform of each pas
Massimo,
> It looks to me you have a new version of globals.py but an old version
> of sql.py. Is this possible?
Yes, after upgrading to version 1.65.7 the upload field worked.
Kind regards,
Annet.
--~--~-~--~~~---~--~~
You received this message because you are
thanks for the answer massimo.
xml parsing i have done with dom parser.
for me the difficult part is to how i intgrate my xml parsing program
to the files which i have uploaded throgh web2py.
I want it this way.
1. Upload the xml file and a zip file
implemented with web2py
2. parse the con
>If the attacker knows (by reading the web2py source) that you're, say,
>concatenating the base password three times, then he knows that you
>haven't increased the password space by even one entry: there's a 1:1
>mapping between base passwords and transformed passwords.
So far you have kept on ig
On Jul 31, 4:10 am, mdipierro wrote:
> We cannot break backward compatibility. People should specify a key
> and use the HMAC+SHA512 anyway.
Currently the default auth_user table just has:
table[passfield].requires = [CRYPT()]
So *all* instances should amend that, right?
This should be in the
Massimo,
> It looks to me you have a new version of globals.py but an old version
> of sql.py. Is this possible?
Yes, upgrading to version 1.65.7 solved the problem.
But now I am facing the following problem:
In my model I defined the following table:
db.define_table('level',
db.Field('l
We can probably make a validator called CRYPT2() so we don't have to
break backward compatibility. In my opinion though, this is a rather
insecure default for a framework that bills itself as being very
secure. I have seen many hacklogs where PHP frameworks were often
compromised by sql injection
On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>> If the attacker knows (by reading the web2py source) that you're,
>> say,
>> concatenating the base password three times, then he knows that you
>> haven't increased the password space by even one entry: there's a 1:1
>> mapping between base pass
Hi, I wan't use PUT method and DELETE method,to build a RESTful
service,how to get an PUT method and DELETE data?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send emai
Again, you haven't taken the time to understand what I have said.
What you've been complaining about is only valid if you use the same
salt for every password.
Having a salt be a function of the password is not the same thing as
having the same salt for every password.
On Jul 31, 12:31 am, Jona
On Jul 31, 8:09 am, max wrote:
> for me the difficult part is to how i intgrate my xml parsing program
> to the files which i have uploaded throgh web2py.
> I want it this way.
> 1. Upload the xml file and a zip file
> implemented with web2py
> 2. parse the content from the xml file and inser
On Fri, Jul 31, 2009 at 2:31 AM, Jonathan Lundell wrote:
>
> On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>
> .
> The difference is that with a deterministic transform of the password
> (this includes static salt, or salt that's a function of the base
> password), the attacker performs your
Ah, someone here finally understands me.
On Jul 31, 12:38 am, Yarko Tymciurak wrote:
> On Fri, Jul 31, 2009 at 2:31 AM, Jonathan Lundell wrote:
>
>
>
> > On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>
> > .
> > The difference is that with a deterministic transform of the password
> > (this
On Jul 31, 2009, at 12:19 AM, Fran wrote:
> On Jul 31, 4:10 am, mdipierro wrote:
>> We cannot break backward compatibility. People should specify a key
>> and use the HMAC+SHA512 anyway.
>
> Currently the default auth_user table just has:
> table[passfield].requires = [CRYPT()]
>
> So *all* inst
On Jul 31, 2009, at 12:38 AM, Yarko Tymciurak wrote:
> On Fri, Jul 31, 2009 at 2:31 AM, Jonathan Lundell
> wrote:
>
> On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>
> .
> The difference is that with a deterministic transform of the password
> (this includes static salt, or salt that's a fu
On Jul 31, 2009, at 12:35 AM, Bottiger wrote:
>
> Again, you haven't taken the time to understand what I have said.
>
> What you've been complaining about is only valid if you use the same
> salt for every password.
>
> Having a salt be a function of the password is not the same thing as
> having
On Jul 31, 2009, at 12:48 AM, Jonathan Lundell wrote:
> On Jul 31, 2009, at 12:38 AM, Yarko Tymciurak wrote:
>
>> On Fri, Jul 31, 2009 at 2:31 AM, Jonathan Lundell
>> wrote:
>>
>> On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>>
>> .
>> The difference is that with a deterministic transform
Can you please take some time to actually understand the situation.
Every time you keep repeating the same factually incorrect statements.
md5(password1+password1)
password1 is not the same as
md5(password2+password2)
> Suppose you have a dictionary of 1,000,000 weak passwords and precompute
On Jul 31, 8:45 am, Jonathan Lundell wrote:
> It wouldn't be extraordinarily difficult to migrate an existing MD5-
> hashed password table to a stronger method.
I really think that we need to be 'secure by default' - this is what
is claimed for the framework.
Even with clear documentation (& sca
On Jul 31, 8:23 am, annet wrote:
> {{=activiteit.level.image}}
> the file name:
> level.image.aef56e3f826179e6.677265656e5f646f742e706e67.png is being
> displayed. Why is that?
because that is what is stored in the DB.
To display the image you need something like:
F
--~--~-~--~-
Hi,
LB22 wrote:
> OK, I don't know how but I missed Philip's post earlier:
>
> "Is the rewrite rule within a virtual host block?"
>
> This was exactly the problem - where I was trying Fran's suggestion
> for my mod_rewrite issues, I had added a rewrite rule to a virtual
> hosts block in httpd.c
Thank you for reply.
I've been googling the right version of mod_wsgi for couples of hours and I
got nothing. I'll try to compile it form the source code. I'm under windows
xp [ :( ], python 2.5.4,apache 2.2.11.
How can I compile it? Any instructions will be thankful.
2009/7/31 Yarko Tymciurak
hi Fran,
I've figured it out.
In my view I've added
{{if form.errors and form.errors.password_two:}}Password fields don't match{{pass}}
at the end of my "Verify password" td.
thanks for your help.
Carl
On Jul 30, 12:48 pm, Carl wrote:
> hi Fran,
>
> Have looked at {{=form.custom.begin}} and
On Jul 31, 1:53 pm, Carl wrote:
> I've figured it out.
Great - so much better when you solve it yourself :)
Thanks for sharing the trick...
F
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
T
Some observations about the Django approach versus SQL are presented here:
http://slott-softwarearchitect.blogspot.com/2009/07/object-models-and-relational-joins.html
Object Models and Relational Joins -- Endless Confusion
Perhaps it could be of interest to show Web2py approach in the same way.
On Jul 31, 2009, at 1:32 AM, Bottiger wrote:
> Can you please take some time to actually understand the situation.
> Every time you keep repeating the same factually incorrect statements.
>
> md5(password1+password1)
>
> password1 is not the same as
>
> md5(password2+password2)
>
>> Suppose you h
thank you all for replying.
It is definitely not a matter of syntax but of my poor knowledge of
Flash I suppose.
I found no way to get my mp4 imported in Flash converted in a "valid"
swf for playing: the proof of my wrong approach is the dimension of
the swf file obtained from Flash: 60KB against
.. And even if you use the same salt for each password It'd still be a
time-consuming job since for each "clear" password in a rainbow table
you'd have to "recompute" the new hash based on the salt and scan the
rainbow table entirely for each record, now I totally agree that
adding a salt for each
On Jul 31, 1:19 am, Jonathan Lundell wrote:
>
> I'm suggesting (sticking with md5 for comparability):
>
> md5(password+random)+random
>
> ...where random is randomly chosen for each new password.
>
> You're suggesting?
How can you hash a password with a "random" salt??, the whole purpose
On Jul 31, 2009, at 7:55 AM, Julio wrote:
> .. And even if you use the same salt for each password It'd still be a
> time-consuming job since for each "clear" password in a rainbow table
> you'd have to "recompute" the new hash based on the salt and scan the
> rainbow table entirely for each reco
I'm no expert, but I have flash followed by a redirect not work.
On Jul 30, 6:23 am, Vidul Petrov wrote:
> http://my-sticky-note.appspot.com/init/default/welcome(still missing
> the demo)
>
> Yes it's very small app, never-the-less the time went like this:
> - views / controllers / model: 5% (o
take a look here:
http://www.mhproject.org/index.php/mhproject.php/2009/07/20/how_to_install_apache2_ssl_web2py_window
however, abraham told me that the wsgi version i use is old, but i
couldnt find updated one for python 2.5 , all are for 2.6
cheers
alex f
El 31/07/2009 14:48, 陶艺夫 escribió:
> Tha
On Jul 31, 2009, at 8:07 AM, Julio wrote:
> On Jul 31, 1:19 am, Jonathan Lundell wrote:
>>
>> I'm suggesting (sticking with md5 for comparability):
>>
>> md5(password+random)+random
>>
>> ...where random is randomly chosen for each new password.
>>
>> You're suggesting?
>
> How can you h
I know next to nothing about this stuff, but yesterday I had to do
some stuff with htpasswd and I noticed you can actually use different
hash schemes in the same password file (at least I saw a mix of salted
and unsalted hashes). Couldn't this be used to solve the compatibility
issue? Assuming tha
Both methods are really flawed and we all know it, adding a "random"
flavor to the salt (and storing it somewhere) is no more difficult to
"crack" than salting a password with the first, third and fifth
letters of the original password for example (or the way I am doing it
for that matter),
I bel
On Jul 31, 6:26 am, Bottiger wrote:
> > That may not be a good idea, I think. That makes your password longer but
> > with a possible cryptographic weakness because it's following a known
> > generation rule (being formed by a string repeated 3 times).
>
> The primary concern is a precomputed
On Jul 31, 2009, at 9:35 AM, Gijsbert wrote:
> I know next to nothing about this stuff, but yesterday I had to do
> some stuff with htpasswd and I noticed you can actually use different
> hash schemes in the same password file (at least I saw a mix of salted
> and unsalted hashes). Couldn't this
On Jul 31, 2009, at 9:36 AM, Julio wrote:
> Both methods are really flawed and we all know it, adding a "random"
> flavor to the salt (and storing it somewhere) is no more difficult to
> "crack" than salting a password with the first, third and fifth
> letters of the original password for example
Thank Alex. I have followed your instructions to set up the whole
envirenment. After restart all sevices, I still can't get it work. And there
are some warning in the Apache log error log file:
[Sat Aug 01 00:37:43 2009] [warn] mod_wsgi: Compiled for Python/2.5.
[Sat Aug 01 00:37:43 2009] [warn] m
> I'd prefer some less-predictable salt than the suggestion below,
> though. How about the old Unix passwd trick of choosing a some random
> salt, and appending the salt in plaintext to the hash?
we could do that, without braking backward compatibility i think...
- store password in the follo
Has anybody had any luck getting the taskqueue from google app engine
to work in web2py? I presume that it should work under dev_appserver,
but isn't working for me.
I defined a simple default controller based on the gae example at the
google blog:
def process_post_file():
rows=db(db.files.p
On Jul 31, 2009, at 3:33 AM, olivier wrote:
>>
>> I'd prefer some less-predictable salt than the suggestion below,
>> though. How about the old Unix passwd trick of choosing a some random
>> salt, and appending the salt in plaintext to the hash?
>
> we could do that, without braking backward comp
On Jul 31, 10:13 am, Jonathan Lundell wrote:
>
> We should be clear about which problem(s) we're trying to solve.
>
Hey Jon,
I think this is the easiest part, we are trying to secure our
passwords (without using encryption) so in the event they are stolen
they would be *very hard* to crack, sim
On Jul 31, 2009, at 12:10 PM, Julio wrote:
>
> On Jul 31, 10:13 am, Jonathan Lundell wrote:
>>
>> We should be clear about which problem(s) we're trying to solve.
>>
>
> Hey Jon,
>
> I think this is the easiest part, we are trying to secure our
> passwords (without using encryption) so in the ev
There are several measures we might take to tighten up default
security in a backwards-compatible way.
1. Use IS_STRONG() by default in the welcome application template.
2. Add salted hash methods, in particular a) random salt, and b) using
the user's email address as salt (it's not as good a
> If we have a deterministic (1:1) transform t() of the password, then
> hash(t(password)) is exactly some hash'(password). We've redefined the
> hash function, and all we have to do is to create a new rainbow table
> for that function. That is, you can consider any 1:1 pre-hash
> transfo
On Jul 31, 2009, at 12:56 PM, Julio wrote:
>> If we have a deterministic (1:1) transform t() of the password, then
>> hash(t(password)) is exactly some hash'(password). We've redefined
>> the
>> hash function, and all we have to do is to create a new rainbow table
>> for that function. That is,
Hello forum!
I am trying to replace the default auth table 'auth_user' with my own:
auth.settings.table_user = db.define_table(
auth.settings.table_user_name,
Field('username', length=32, requires = [IS_NOT_EMPTY(), IS_LENGTH
(32), IS_ALPHANUMERIC()]),
Field('email', length=128,default
You have some errors here:
On Fri, Jul 31, 2009 at 4:47 PM, ivanvpan wrote:
>
> Hello forum!
> I am trying to replace the default auth table 'auth_user' with my own:
> auth.settings.table_user = db.define_table(
>auth.settings.table_user_name,
this can also be:
auth.settings.table_user =
> You can add your own fields, but you must have the minumum fields, as they
> are written.
Ah! That's the ticket. Thanks a lot.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this g
http://web2py.com/AlterEgo/default/show/246
Will hopefully be added to main Geraldo docs too:
https://sourceforge.net/tracker/?func=detail&aid=2830566&group_id=251460&atid=1126588
This is all working great for me with simple reports, however I am
currently unable to get SubReports to workhas
I do not know for sure because PUT and DELETE are not standard http
methods. Try
request.vars
and
request.body.read()
Let us know.
On Jul 31, 2:28 am, 诚子 wrote:
> Hi, I wan't use PUT method and DELETE method,to build a RESTful
> service,how to get an PUT method and DELETE data?
--~--~-
This should work
On Jul 31, 2:37 am, Fran wrote:
> On Jul 31, 8:09 am, max wrote:
>
> > for me the difficult part is to how i intgrate my xml parsing program
> > to the files which i have uploaded throgh web2py.
> > I want it this way.
> > 1. Upload the xml file and a zip file
> > implement
If you want to display the flash after redirect you should use
session.flash and not response.flash
On Jul 31, 10:13 am, Gijsbert wrote:
> I'm no expert, but I have flash followed by a redirect not work.
>
> On Jul 30, 6:23 am, Vidul Petrov wrote:
>
> >http://my-sticky-note.appspot.com/init/def
which browser are you using? can you try wget and/or other browsers?
On Jul 30, 10:32 pm, 陶艺夫 wrote:
> Hi,
> I'm using "response.stream(file_name)" method to offer users downloading
> files which are sort of business-classified, but the downloading process
> always terminated halfway. The testin
On Jul 31, 2009, at 4:00 PM, mdipierro wrote:
> I do not know for sure because PUT and DELETE are not standard http
> methods.
They are, actually; they're just not used by interactive web browsers.
http://en.wikipedia.org/wiki/Http#Request_methods
> Try
>
> request.vars
> and
> request.body.re
Hmmm check this page out:
http://www.w3.org/Amaya/User/Put.html
On Fri, Jul 31, 2009 at 6:07 PM, Jonathan Lundell wrote:
>
> On Jul 31, 2009, at 4:00 PM, mdipierro wrote:
>
> > I do not know for sure because PUT and DELETE are not standard http
> > methods.
>
> They are, actually; they're j
Is anyone working on incorporating OpenID with auth? I need to know
because I am not looking forward to duplicating effort again if
someone has already started or finished it.
On Jul 27, 1:07 am, hcvst wrote:
> Hi,
>
> when I first came across this post, I was working on a provider so I
> just p
CouchDB seems to support PUT.
--
Teru
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
You will need to do request.body.read() for PUT. Web2Py does not parse
the body of PUT requests.
Example:
Request:
PUT /test/default/ HTTP/1.1
Content-Length: 21
blah blah hello hello
Output:
Body
"blah blah hello hello"
On Jul 31, 12:28 am, 诚子 wrote:
> Hi, I wan't use PUT method and DELE
Thanks for the responses.
> db.student.student_id.requires=IS_NOT_IN_DB(db,'student.student_id')
> db.tasks.student.requires=IS_IN_DB(db,'student.id','%(student_id)s')
> db.tasks.student.represent=lambda id: db.student[id].student_id
This seems to accomplish what I was trying to do, thanks. Howe
Pardon me for jumping in here, but I thought I'd try my hand at
putting this into some concrete examples.
Let's say we have an overly simple site with just three users (Jane,
Dick and Sally) and for some odd reason have made it a policy that
they can only choose from three passwords: "password",
On Jul 31, 6:26 am, Bottiger wrote:
> > That may not be a good idea, I think. That makes your password longer but
> > with a possible cryptographic weakness because it's following a known
> > generation rule (being formed by a string repeated 3 times).
>
> The primary concern is a precomputed
I got it works evetually.
Guess what was wrong? I had a wrong spelled word in the conf file! It had
taken my 2 hours away from my life :)
Thanks a lot. You are so cool...
2009/8/1 mdipierro
>
> which browser are you using? can you try wget and/or other browsers?
>
> On Jul 30, 10:32 pm, 陶艺夫 wr
Now there are some problems I can't figure out why.
My application has been doing well under binary web2py with cherrypy. After
I moved it into Apache and mod_wsgi env, some pages would issue an error
ticket and when I click the ticket link, it would continue issue another
error ticket, and on...
I wrote before that I would not say anything about this anymore, but
having this thread pop up multiple times presented itself as a
persistent itch.
First of all I would like to apologize if I came off before as a
little abrasive. Second of all, I will not disagree that overall,
using a random sa
On Jul 31, 2009, at 11:11 PM, Bottiger wrote:
> 2. Attackers will specifically target Web2Py's deterministic algorithm
> with a custom rainbow table.
>
> This is a possibility, but it is not a big one. First of all, even
> with md5, generating tables is not something the average script kiddie
> c
Yes the software is there, but the hardware is a completely different
matter.
On Jul 31, 11:15 pm, Jonathan Lundell wrote:
> On Jul 31, 2009, at 11:11 PM, Bottiger wrote:
>
> > 2. Attackers will specifically target Web2Py's deterministic algorithm
> > with a custom rainbow table.
>
> > This is a
Also, I just downloaded winrtgen, the one that is displayed all over
your google results.
No ability for specifying a salt, or even a custom salting function.
On Jul 31, 11:15 pm, Jonathan Lundell wrote:
> On Jul 31, 2009, at 11:11 PM, Bottiger wrote:
>
> > 2. Attackers will specifically target
69 matches
Mail list logo
