Password validation security issue

Chris Angelico rosuav at
Sat Mar 1 19:43:33 CET 2014

On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase <python.list at> wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>   if hash(provided_password) == existing_hash:
>     do_magic()
> into just
>   if True:
>     do_magic()
> and re-running the program.

They don't necessarily have to have the ability to edit the file.
Based on the original description, the problem is that if Python
running as that user can read the file (to run it), then so can
anything else running as that user. Python doesn't need to be able to
change the file.


More information about the Python-list mailing list