[Python-Dev] Possible bugs and security holes in getpass.py

Jeff Epler jepler at unpythonic.net
Mon Dec 1 22:55:16 EST 2003

On Mon, Dec 01, 2003 at 06:53:18PM -0800, Oleg Zabluda wrote:
> I am comparing getpass.py
> (http://cvs.osafoundation.org/index.cgi/osaf/chandler/python/Lib/getpass.py)
> and getpass.c from glibc
> (http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/misc/getpass.c?rev=1.18&content-type=text/x-cvsweb-markup&cvsroot=glibc).

Many of the differences you cite seem related to glibc-specific
internals (I don't know what it means to 'lock "stdin"', open 'in "c"
mode', or 'set _IO_FLAGS2_NOTCANCEL', when talking about portable stdio
code, though I'm not a posix/SuS expert).  glibc-specific code is
unlikely to be included in Python, for obvious reasons.

> 4. getpass.c explicitly flushes "stdin" after outputting the promt and before
>    reading the password.

In 2.2, I think the marked lines are supposed to perform those
        termios.tcsetattr(fd, termios.TCSADRAIN, new) ### HERE
        passwd = _raw_input(prompt)
        termios.tcsetattr(fd, termios.TCSADRAIN, old) ### HERE

> Suggestion/RFC: either implement the same functionality or a portion
> thereof in getpass.py, or implement it using getpass(3) directly, at least
> when linking with glibc.

I think that a _getpass module on systems that provide getpass(3) would
be appropriate.  The block at the bottom of getpass.py would have
another level added to deal with the import of _getpass and its absence:

   import _getpass
   existing block, but indented more
   getpass = _getpass.getpass

There's probably nothing subtle about writing _getpassmodule.c, and
distutils should be able to handle its absence gracefully (?).

Before I'm +1 on doing this, though, here's what the linux (redhat 9)
manpage has to say about getpass:
               #include <unistd.h>

               char *getpass( const char * prompt );

               This function is obsolete. Do not use it.
The opengroup web page you mention says it is "LEGACY", with this
        This function was marked LEGACY since it provides no functionality
        which a user could not easily implement, and its name is
... how important is getpass, and did the opengroup really
underestimate the subtlety of its implementation that greatly?


More information about the Python-Dev mailing list