Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.019
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'cc:addr:python-list': 0.11; 'python': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'it),': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'true:': 0.16; 'wrote:': 0.18; 'user.': 0.19; 'code,': 0.22; 'cc:addr:python.org': 0.22; 'file.': 0.24; 'cc:2**0': 0.24; 'source': 0.25; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'tim': 0.29; "doesn't": 0.30; 'said,': 0.30; 'message- id:@mail.gmail.com': 0.30; 'chase': 0.31; 'description,': 0.31; 'file': 0.32; 'run': 0.32; 'running': 0.33; 'problem': 0.35; 'received:google.com': 0.35; 'changing': 0.37; 'anything': 0.39; 'ability': 0.39; 'read': 0.60; 'mar': 0.68; 'preventing': 0.84; 'to:none': 0.92
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=jY0vv1dQj7SpZ3QtNHwoCjB8CTjfT3WmSgpmB4eb3Sc=; b=pzmi3kdATgL75OrNmZfluU2H51gSmFjLUXcbPxJ4ZtzCtJgu+9jFJK5HMNxX6rh1Rp GmI0j3V9OKWkToJLh597qNbeJatEhQ82hj6UeqxPwmd7MQ/tVQoGvr8dty6RjvkFVjgT BsoddkzB7cV/GV5WvgIPeBAJG/iF3cQIYDn9OB8x3UAn4vrorQLMqkTkl6EIE1BreVG8 z2/FQEje39krOvWHD+xoz++KNd1W0TEHMAAWHj0BXsf3xWMOwD5wkCb1IDlJ8/MmKwI6 YwRrLcEpXRsSqpsklzNI+6SnBLpwzXNYae/jx34r63TgRdymgiND0YWvMAwEn0ktqRkW QVkg==
MIME-Version: 1.0
X-Received: by 10.66.251.42 with SMTP id zh10mr10817046pac.84.1393699414047; Sat, 01 Mar 2014 10:43:34 -0800 (PST)
In-Reply-To: <20140301123825.2c2dd24e@bigbox.christie.dr>
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <20140301123825.2c2dd24e@bigbox.christie.dr>
Date: Sun, 2 Mar 2014 05:43:33 +1100
Subject: Re: Password validation security issue
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7526.1393699418.18130.python-list@python.org>
Lines: 21
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393699418 news.xs4all.nl 2870 [2001:888:2000:d::a6]:59916
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67336

On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase <python.list@tim.thechases.com> wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>
>   if hash(provided_password) == existing_hash:
>     do_magic()
>
> into just
>
>   if True:
>     do_magic()
>
> and re-running the program.

They don't necessarily have to have the ability to edit the file.
Based on the original description, the problem is that if Python
running as that user can read the file (to run it), then so can
anything else running as that user. Python doesn't need to be able to
change the file.

ChrisA