Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67336

Re: Password validation security issue

Path csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.019
X-Spam-Evidence '*H*': 0.96; '*S*': 0.00; 'cc:addr:python-list': 0.11; 'python': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'it),': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'true:': 0.16; 'wrote:': 0.18; 'user.': 0.19; 'code,': 0.22; 'cc:addr:python.org': 0.22; 'file.': 0.24; 'cc:2**0': 0.24; 'source': 0.25; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'tim': 0.29; "doesn't": 0.30; 'said,': 0.30; 'message- id:@mail.gmail.com': 0.30; 'chase': 0.31; 'description,': 0.31; 'file': 0.32; 'run': 0.32; 'running': 0.33; 'problem': 0.35; 'received:google.com': 0.35; 'changing': 0.37; 'anything': 0.39; 'ability': 0.39; 'read': 0.60; 'mar': 0.68; 'preventing': 0.84; 'to:none': 0.92
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=jY0vv1dQj7SpZ3QtNHwoCjB8CTjfT3WmSgpmB4eb3Sc=; b=pzmi3kdATgL75OrNmZfluU2H51gSmFjLUXcbPxJ4ZtzCtJgu+9jFJK5HMNxX6rh1Rp GmI0j3V9OKWkToJLh597qNbeJatEhQ82hj6UeqxPwmd7MQ/tVQoGvr8dty6RjvkFVjgT BsoddkzB7cV/GV5WvgIPeBAJG/iF3cQIYDn9OB8x3UAn4vrorQLMqkTkl6EIE1BreVG8 z2/FQEje39krOvWHD+xoz++KNd1W0TEHMAAWHj0BXsf3xWMOwD5wkCb1IDlJ8/MmKwI6 YwRrLcEpXRsSqpsklzNI+6SnBLpwzXNYae/jx34r63TgRdymgiND0YWvMAwEn0ktqRkW QVkg==
MIME-Version 1.0
X-Received by 10.66.251.42 with SMTP id zh10mr10817046pac.84.1393699414047; Sat, 01 Mar 2014 10:43:34 -0800 (PST)
In-Reply-To <20140301123825.2c2dd24e@bigbox.christie.dr>
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <20140301123825.2c2dd24e@bigbox.christie.dr>
Date Sun, 2 Mar 2014 05:43:33 +1100
Subject Re: Password validation security issue
From Chris Angelico <rosuav@gmail.com>
Cc "python-list@python.org" <python-list@python.org>
Content-Type text/plain; charset=UTF-8
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7526.1393699418.18130.python-list@python.org> (permalink)
Lines 21
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393699418 news.xs4all.nl 2870 [2001:888:2000:d::a6]:59916
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67336

Show key headers only | View raw

On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase <python.list@tim.thechases.com> wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>
>   if hash(provided_password) == existing_hash:
>     do_magic()
>
> into just
>
>   if True:
>     do_magic()
>
> and re-running the program.

They don't necessarily have to have the ability to edit the file.
Based on the original description, the problem is that if Python
running as that user can read the file (to run it), then so can
anything else running as that user. Python doesn't need to be able to
change the file.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web