[Python-Dev] Possible bugs and security holes in getpass.py

Oleg Zabluda ozabluda at yahoo.com
Mon Dec 1 21:53:18 EST 2003

I am comparing getpass.py
and getpass.c from glibc

Here are the differences that I identified, some of which may or may not
be bugs in getpass.py:

1. getpass.c sets ~ISIG in addition to ~ECHO.
2. getpass.c locks "stdin".
3. getpass.c makes sure the "stdin" is closed even if the thread is cancelled.
4. getpass.c explicitly flushes "stdin" after outputting the promt and before
   reading the password.
5. getpass.c opens "stdin" in "c" mode. This sets _IO_FLAGS2_NOTCANCEL,
   whatever that means. Maybe it has something to do with thread cancellation,
   maybe not.

1,2,3,5 are possible security holes in addition to being possible bugs.

Although I don't completely understand all the details, it appears to me
that getpass.c is more correct then getpass.py.

Suggestion/RFC: either implement the same functionality or a portion
thereof in getpass.py, or implement it using getpass(3) directly, at least
when linking with glibc.

More references:
'info getpass'

It would help if we knew whether login, passwd, chfn, su, sudo, yppasswd,
etc, use getpass(3) or not. If yes, the answer would be a no-brainer to me.


More information about the Python-Dev mailing list