Fwd: Re: Passwords in APIs
John J Lee
jjl at pobox.com
Wed Dec 11 08:02:31 EST 2002
On 10 Dec 2002 21:36:08 -0600, "Ian Bicking" <ianb at colorstudy.com> said:
> On Mon, 2002-12-09 at 17:03, John J Lee wrote:
[...]
> > might be exploited. The only thing I can come up with is that it's
> > possible someone could add an HTMLForm instance to an object, then end
> > up pickling the object to disk, perhaps not realising that the
> > password is still in there. I suppose this may be sufficient reason
> > in itself.
[stuff about encryption snipped]
> I wouldn't worry, though. I wouldn't expect the password to be
> protected if I was using your library.
I certainly agree with you that encryption is not appropriate. The
issue I was worried about was forgetting that there are is a reference
to the password in the HTMLForm instance, and ending up pickling it
(hence the password) accidentally, when you could easily have del-ed
it first. Since these are mistakes we're talking about here, not
deliberate decisions, what the user does or doesn't expect isn't
really the point.
John
More information about the Python-list
mailing list