[Patches] netrc module parse bug

Lance Finn Helsten helsten@inconnect.com
Mon, 3 Apr 2000 00:15:28 -0600 

<fixed><smaller><fontfamily><param>Courier</param>When a .netrc file has =
passwords that contain non-alphanumeric characters the netrc.__init__ =
throws an exception. To change this in the .netrc would pose security =
risks.


Changes:

    1) Added all 7-bit characters to the wordchars field.

    2) Turned off quotes.

    3) Turn '#' off and on as a comment character around the top level =
get_token, so it is usable in passwords.


This assumes that all comments start in column 0. End of line comments =
will probably not work.


*** netrc.py    Fri Feb  4 08:10:33 2000

--- /usr/local/lib/python1.5/netrc.py   Sun Apr  2 23:46:31 2000

***************

*** 15,24 ****

          self.hosts =3D {}

          self.macros =3D {}

          lexer =3D shlex.shlex(fp)

!         lexer.wordchars =3D lexer.wordchars + '.'

          while 1:

              # Look for a machine, default, or macdef top-level keyword

              toplevel =3D tt =3D lexer.get_token()

              if tt =3D=3D '' or tt =3D=3D None:

                  break

              elif tt =3D=3D 'machine':

--- 13,25 ----

          self.hosts =3D {}

          self.macros =3D {}

          lexer =3D shlex.shlex(fp)

!         lexer.wordchars =3D lexer.wordchars + =
'~!@#$%^&*()-=3D+`[]{}\\|;:,./<<>?\'"'

!         lexer.quotes =3D ''

          while 1:

              # Look for a machine, default, or macdef top-level keyword

+             lexer.commenters =3D '#'

              toplevel =3D tt =3D lexer.get_token()

+             lexer.commenters =3D ''

              if tt =3D=3D '' or tt =3D=3D None:

                  break

              elif tt =3D=3D 'machine':

***************

<flushleft>

I confirm that, to the best of my knowledge and belief, this

contribution is free of any claims of third parties under

copyright, patent or other rights or interests ("claims").  To

the extent that I have any such claims, I hereby grant to CNRI a

nonexclusive, irrevocable, royalty-free, worldwide license to

reproduce, distribute, perform and/or display publicly, prepare

derivative versions, and otherwise use this contribution as part

of the Python software and its related documentation, or any

derivative versions thereof, at no cost to CNRI or its licensed

users, and to authorize others to do so.


I acknowledge that CNRI may, at its sole discretion, decide

whether or not to incorporate this contribution in the Python

software and its related documentation.  I further grant CNRI

permission to use my name and other identifying information

provided to CNRI by me for use in connection with the Python

software and its related documentation.



Lance Finn Helsten

helsten@inconnect.com

helsten@ieee.org

helsten@acm.org


You cannot free a slave save he do it himself. You cannot enslave a =
freeman, the most you can do is kill him. ~Robert A. Heinlien=