[New-bugs-announce] [issue36997] Document that spwd is considered harmful
Christian Heimes
report at bugs.python.org
Tue May 21 13:00:09 EDT 2019
New submission from Christian Heimes <lists at cheimes.de>:
The spwd module has several flaws. Especially the combination of spwd and crypt for password verification is dangerous and in almost all cases technically wrong.
# don't do this!
pw1 = spwd.getspnam(username).sp_pwd
pw2 = crypt.crypt(password, pw1)
if pw1 == pw2:
...
On BSD, Linux, and macOS, account and credential verification must go through PAM.
Also see:
https://mail.python.org/pipermail/python-dev/2019-May/157562.html
https://mail.python.org/pipermail/python-dev/2019-May/157564.html
----------
assignee: christian.heimes
components: Documentation, Extension Modules
messages: 343072
nosy: christian.heimes
priority: high
severity: normal
stage: needs patch
status: open
title: Document that spwd is considered harmful
type: security
versions: Python 2.7, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36997>
_______________________________________
More information about the New-bugs-announce
mailing list