Issue7208
Created on 2009-10-26 14:39 by pajs@fodder.org.uk, last changed 2009-11-01 18:48 by gregory.p.smith.
|
| File name |
Uploaded |
Description |
Edit |
Remove |
|
getpass.diff
|
pajs@fodder.org.uk,
2009-10-26 14:49
|
|
|
|
|
|
msg94488 - (view) |
Author: Peter Saunders (pajs@fodder.org.uk) |
Date: 2009-10-26 14:39 |
|
Only sucessfully replicated on solaris.
When running getpass() - it goes into non echo mode, however, once enter
is pressed, the password is echoed to the screen. E.g.
> /opt/python/2.6.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password: bob
This does NOT happen on older versions:
> /opt/IBpython/2.5.1/bin/python -c 'import getpass; x=getpass.getpass()'
Password:
/opt/python/2.3.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password:
To stop this occuring for me, simply adding a stream.flush() line
straight after the
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old)
line fixes the issue:
saundep@ln8u3494inx:[/tmp]> /opt/IBpython/2.6.3/bin/python -c 'import
gp; gp.getpass()'
Password:
|
|
msg94490 - (view) |
Author: Antoine Pitrou (pitrou) |
Date: 2009-10-26 15:23 |
|
Looks like a critical bug, thanks.
|
|
msg94594 - (view) |
Author: Alexander Belopolsky (belopolsky) |
Date: 2009-10-28 00:17 |
|
Just to give credit where credit is due: see #4 here
http://mail.python.org/pipermail/python-dev/2003-December/040579.html
|
|
msg94766 - (view) |
Author: Gregory P. Smith (gregory.p.smith) |
Date: 2009-10-31 21:27 |
|
Peter - can you apply the patch from svn r76000 and test that it works
properly on Solaris?
|
|
msg94767 - (view) |
Author: Antoine Pitrou (pitrou) |
Date: 2009-10-31 21:34 |
|
Regarding your comment in r76000:
"""NOTE: The Python C API calls flockfile() (and unlock) during
readline."""
This may be true in 2.x but not in 3.x. Does it have any security
implication?
|
|
msg94773 - (view) |
Author: Gregory P. Smith (gregory.p.smith) |
Date: 2009-10-31 22:26 |
|
It might mean that other threads with access to the same file handle
could interfere and intercept part of the password entry if they wanted
to but thats not too concerning.
py3k/Modules/_io/bufferedio.c which is presumably used when input is
sys.stdin instead of a /dev/tty file appears to lock things.
Compared to glibc's getpass implementation the locking should probably
be done around a wider swath of getpass code in order to protect all
possible race conditions of other code accessing the handle as we set it
up and display the prompt. I don't really think it is something worry
about as it requires code executing within the context of your own
getpass calling program to be doing something that'll interfere with
your password reading. If someone has -that- problem they have bigger
issues.
|
|
msg94800 - (view) |
Author: Gregory P. Smith (gregory.p.smith) |
Date: 2009-11-01 18:48 |
|
merged into release26-maint in r76015. this patch also fixed issue7246.
py3k r76017
release31-maint r76019
|
|
| Date |
User |
Action |
Args |
| 2009-11-01 18:48:44 | gregory.p.smith | set | status: open -> closed
resolution: fixed
messages:
+ msg94800
versions:
- Python 2.6, Python 2.7 |
| 2009-10-31 22:26:13 | gregory.p.smith | set | messages:
+ msg94773 |
| 2009-10-31 21:34:21 | pitrou | set | messages:
+ msg94767 |
| 2009-10-31 21:27:30 | gregory.p.smith | set | messages:
+ msg94766 |
| 2009-10-31 20:56:56 | gregory.p.smith | set | assignee: gregory.p.smith
nosy:
+ gregory.p.smith, - gps |
| 2009-10-29 19:37:10 | pitrou | set | nosy:
+ gps
|
| 2009-10-28 00:17:21 | belopolsky | set | nosy:
+ belopolsky
messages:
+ msg94594
|
| 2009-10-26 15:23:03 | pitrou | set |
nosy:
+ pitrou
versions:
+ Python 3.1, Python 2.7, Python 3.2
messages:
+ msg94490
priority: critical
type: behavior
stage: patch review |
| 2009-10-26 14:49:19 | pajs@fodder.org.uk | set | files:
+ getpass.diff
keywords:
+ patch |
| 2009-10-26 14:39:37 | pajs@fodder.org.uk | create | |
|
