Password validation security issue

Chris Angelico rosuav at gmail.com
Sat Mar 1 19:43:33 CET 2014


On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase <python.list at tim.thechases.com> wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>
>   if hash(provided_password) == existing_hash:
>     do_magic()
>
> into just
>
>   if True:
>     do_magic()
>
> and re-running the program.

They don't necessarily have to have the ability to edit the file.
Based on the original description, the problem is that if Python
running as that user can read the file (to run it), then so can
anything else running as that user. Python doesn't need to be able to
change the file.

ChrisA



More information about the Python-list mailing list