Message 163671 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	loewis
Recipients	Jon.Oberheide, alex, christian.heimes, fijall, georg.brandl, hynek, loewis, ncoghlan, petri.lehtinen, pitrou, python-dev, serhiy.storchaka
Date	2012-06-23.20:42:35
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<4FE62A3A.4050307@v.loewis.de>
In-reply-to	<1340312987.2703.25.camel@raxxla>

Content
>>> About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you >>> should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) != >>> 0)). >> >> What's the difference? They are the same. > > Laziness. If "a" (a secret key) is not bytes then PyBytes_CheckExact(b) > ("b" is a user input) is not called. It exposes secret key type. I'm not > sure if it is real secret however. I see; I missed that your version was using &. In any case, I don't think this is a threat: you couldn't use it to get the secret key faster.

>>> About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you
>>> should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) !=
>>> 0)).
>>
>> What's the difference? They are the same.
> 
> Laziness. If "a" (a secret key) is not bytes then PyBytes_CheckExact(b)
> ("b" is a user input) is not called. It exposes secret key type. I'm not
> sure if it is real secret however.

I see; I missed that your version was using &. In any case, I don't
think this is a threat: you couldn't use it to get the secret key
faster.

History
Date	User	Action	Args
2012-06-23 20:42:39	loewis	set	recipients: + loewis, georg.brandl, ncoghlan, pitrou, christian.heimes, alex, fijall, python-dev, petri.lehtinen, hynek, serhiy.storchaka, Jon.Oberheide
2012-06-23 20:42:36	loewis	link	issue15061 messages
2012-06-23 20:42:35	loewis	create