This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author baikie
Recipients baikie, loewis, vstinner
Date 2009-01-07.22:27:05
SpamBayes Score 0.14052951
Marked as misclassified No
Message-id <>
> baikie: Open a separated issue for the refcount error and fd leak.

OK.  It does affect 2.x as well, come to think of it.

> On Ubuntu, it's not possible to create an user with a non-ASCII
> name:
> $ sudo adduser é --no-create-home
> adduser: To avoid problems, the username should consist only of...

Well, good for Ubuntu :)  But you can still add one with the
lower-level useradd command, and not everyone uses Ubuntu.

> Your patch latin1.diff is wrong

Yes, I know it's "wrong" - I just thought of it as a stopgap
measure until some sort of bytes functionality is added (since
pwd already decodes everything as Latin-1, but tries to interpret
backslash escapes).  But yeah, if it's going to be changed later,
then I suppose there's not much point.

> I don't think that it can be called a "denial of service attack".

It depends on how the program uses these functions.  Obviously
Python itself is only vulnerable to a DoS if the interpreter
crashes or something, but what I'm saying is that there should be
a way for Python programs to access the password database that is
not subject to denial of service attacks.  If someone changes
their GECOS field they can make pwd.getpwall() fail for another
user's program, and if the program relies on pwd.getpwall()
working, then that's a DoS.
Date User Action Args
2009-01-07 22:27:09baikiesetrecipients: + baikie, loewis, vstinner
2009-01-07 22:27:09baikiesetmessageid: <>
2009-01-07 22:27:08baikielinkissue4859 messages
2009-01-07 22:27:06baikiecreate