This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Getpass echo's password to screen on 2.6, but not on 2.5 or 3.1
Type: behavior Stage: patch review
Components: Library (Lib) Versions: Python 3.1, Python 3.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: gregory.p.smith Nosy List: belopolsky, gregory.p.smith, pajs@fodder.org.uk, pitrou
Priority: critical Keywords: patch

Created on 2009-10-26 14:39 by pajs@fodder.org.uk, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
getpass.diff pajs@fodder.org.uk, 2009-10-26 14:49
Messages (7)
msg94488 - (view) Author: Peter Saunders (pajs@fodder.org.uk) Date: 2009-10-26 14:39
Only sucessfully replicated on solaris.

When running getpass() - it goes into non echo mode, however, once enter
is pressed, the password is echoed to the screen. E.g.

> /opt/python/2.6.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password: bob

This does NOT happen on older versions:
> /opt/IBpython/2.5.1/bin/python -c 'import getpass; x=getpass.getpass()'
Password:

/opt/python/2.3.3/bin/python -c 'import getpass; x=getpass.getpass()'
Password:

To stop this occuring for me, simply adding a stream.flush() line
straight after the 

            finally:
                termios.tcsetattr(fd, termios.TCSADRAIN, old)

line fixes the issue:
saundep@ln8u3494inx:[/tmp]> /opt/IBpython/2.6.3/bin/python -c 'import
gp; gp.getpass()'
Password:
msg94490 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2009-10-26 15:23
Looks like a critical bug, thanks.
msg94594 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2009-10-28 00:17
Just to give credit where credit is due: see #4 here

http://mail.python.org/pipermail/python-dev/2003-December/040579.html
msg94766 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2009-10-31 21:27
Peter - can you apply the patch from svn r76000 and test that it works 
properly on Solaris?
msg94767 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2009-10-31 21:34
Regarding your comment in r76000:
"""NOTE: The Python C API calls flockfile() (and unlock) during
readline."""

This may be true in 2.x but not in 3.x. Does it have any security
implication?
msg94773 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2009-10-31 22:26
It might mean that other threads with access to the same file handle 
could interfere and intercept part of the password entry if they wanted 
to but thats not too concerning.

py3k/Modules/_io/bufferedio.c which is presumably used when input is 
sys.stdin instead of a /dev/tty file appears to lock things.

Compared to glibc's getpass implementation the locking should probably 
be done around a wider swath of getpass code in order to protect all 
possible race conditions of other code accessing the handle as we set it 
up and display the prompt.  I don't really think it is something worry 
about as it requires code executing within the context of your own 
getpass calling program to be doing something that'll interfere with 
your password reading.  If someone has -that- problem they have bigger 
issues.
msg94800 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2009-11-01 18:48
merged into release26-maint in r76015.  this patch also fixed issue7246.

py3k r76017
release31-maint r76019
History
Date User Action Args
2022-04-11 14:56:54adminsetgithub: 51457
2009-11-01 18:48:44gregory.p.smithsetstatus: open -> closed
resolution: fixed
messages: + msg94800

versions: - Python 2.6, Python 2.7
2009-10-31 22:26:13gregory.p.smithsetmessages: + msg94773
2009-10-31 21:34:21pitrousetmessages: + msg94767
2009-10-31 21:27:30gregory.p.smithsetmessages: + msg94766
2009-10-31 20:56:56gregory.p.smithsetassignee: gregory.p.smith
nosy: + gregory.p.smith, - gps
2009-10-29 19:37:10pitrousetnosy: + gps
2009-10-28 00:17:21belopolskysetnosy: + belopolsky
messages: + msg94594
2009-10-26 15:23:03pitrousetpriority: critical

type: behavior
versions: + Python 3.1, Python 2.7, Python 3.2
nosy: + pitrou

messages: + msg94490
stage: patch review
2009-10-26 14:49:19pajs@fodder.org.uksetfiles: + getpass.diff
keywords: + patch
2009-10-26 14:39:37pajs@fodder.org.ukcreate