Created on 2009-10-26 14:39 by pajs@fodder.org.uk, last changed 2009-11-01 18:48 by gregory.p.smith. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| getpass.diff | pajs@fodder.org.uk, 2009-10-26 14:49 | |||
| Messages (7) | |||
|---|---|---|---|
| msg94488 - (view) | Author: Peter Saunders (pajs@fodder.org.uk) | Date: 2009-10-26 14:39 | |
Only sucessfully replicated on solaris.
When running getpass() - it goes into non echo mode, however, once enter
is pressed, the password is echoed to the screen. E.g.
> /opt/python/2.6.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password: bob
This does NOT happen on older versions:
> /opt/IBpython/2.5.1/bin/python -c 'import getpass; x=getpass.getpass()'
Password:
/opt/python/2.3.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password:
To stop this occuring for me, simply adding a stream.flush() line
straight after the
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old)
line fixes the issue:
saundep@ln8u3494inx:[/tmp]> /opt/IBpython/2.6.3/bin/python -c 'import
gp; gp.getpass()'
Password:
|
|||
| msg94490 - (view) | Author: Antoine Pitrou (pitrou) *  |
Date: 2009-10-26 15:23 | |
Looks like a critical bug, thanks. |
|||
| msg94594 - (view) | Author: Alexander Belopolsky (belopolsky) |
Date: 2009-10-28 00:17 | |
Just to give credit where credit is due: see #4 here http://mail.python.org/pipermail/python-dev/2003-December/040579.html |
|||
| msg94766 - (view) | Author: Gregory P. Smith (gregory.p.smith) * |
Date: 2009-10-31 21:27 | |
Peter - can you apply the patch from svn r76000 and test that it works properly on Solaris? |
|||
| msg94767 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2009-10-31 21:34 | |
Regarding your comment in r76000: """NOTE: The Python C API calls flockfile() (and unlock) during readline.""" This may be true in 2.x but not in 3.x. Does it have any security implication? |
|||
| msg94773 - (view) | Author: Gregory P. Smith (gregory.p.smith) * |
Date: 2009-10-31 22:26 | |
It might mean that other threads with access to the same file handle could interfere and intercept part of the password entry if they wanted to but thats not too concerning. py3k/Modules/_io/bufferedio.c which is presumably used when input is sys.stdin instead of a /dev/tty file appears to lock things. Compared to glibc's getpass implementation the locking should probably be done around a wider swath of getpass code in order to protect all possible race conditions of other code accessing the handle as we set it up and display the prompt. I don't really think it is something worry about as it requires code executing within the context of your own getpass calling program to be doing something that'll interfere with your password reading. If someone has -that- problem they have bigger issues. |
|||
| msg94800 - (view) | Author: Gregory P. Smith (gregory.p.smith) * |
Date: 2009-11-01 18:48 | |
merged into release26-maint in r76015. this patch also fixed issue7246. py3k r76017 release31-maint r76019 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2009-11-01 18:48:44 | gregory.p.smith | set | status: open -> closed resolution: fixed messages: + msg94800 versions: - Python 2.6, Python 2.7 |
| 2009-10-31 22:26:13 | gregory.p.smith | set | messages: + msg94773 |
| 2009-10-31 21:34:21 | pitrou | set | messages: + msg94767 |
| 2009-10-31 21:27:30 | gregory.p.smith | set | messages: + msg94766 |
| 2009-10-31 20:56:56 | gregory.p.smith | set | assignee: gregory.p.smith nosy: + gregory.p.smith, - gps |
| 2009-10-29 19:37:10 | pitrou | set | nosy:
+ gps |
| 2009-10-28 00:17:21 | belopolsky | set | nosy:
+ belopolsky messages: + msg94594 |
| 2009-10-26 15:23:03 | pitrou | set | nosy: + pitrou versions: + Python 3.1, Python 2.7, Python 3.2 messages: + msg94490 priority: critical type: behavior stage: patch review |
| 2009-10-26 14:49:19 | pajs@fodder.org.uk | set | files:
+ getpass.diff keywords: + patch |
| 2009-10-26 14:39:37 | pajs@fodder.org.uk | create | |