Oleg Zabluda's blog
Wednesday, April 11, 2012
 
My first contribution to the python community from 2003. I reported bugs and potential security holes in getpass.py
My first contribution to the python community from 2003. I reported bugs and potential security holes in getpass.py
http://mail.python.org/pipermail/python-dev/2003-December/040579.html
Guido Van Rossum, later in the thread, decided they were not worth fixing.

In 2009, the bug/security hole were actually triggered, and it was noted that I reported this bug/security hole back in 2003:
http://bugs.python.org/issue7208
http://bugs.python.org/issue7208#msg94594

The proposed fix at the time was still incomplete. sync(2) can return before fd is flushed (see sync(2)), stream.flush() can fail (I/O error, user replaced flush(), etc...) or be interrupted (^C or other signal, ditto with tcsetattr)
or the thread can be canceled. If so, later I/O from a programmer to the stream might echo the password.

I didn't check the current state of getpass.py. The stated reason for even using it instead of getpass(2) is portability, but on platforms where getpass(2) are available (like glibc), it's best to use that, because it clearly received more scrutiny, and, even more importantly, it's used throughout the system (login, ssh, sudo, etc...) and if it is broken, the game over anyway, so it reduces defense perimeter.
http://mail.python.org/pipermail/python-dev/2003-December/040579.html

Labels:


| |

Home

Powered by Blogger