PEP 3131: Supporting Non-ASCII Identifiers
Steven D'Aprano
steven at REMOVE.THIS.cybersource.com.au
Tue May 15 05:33:56 EDT 2007
On Sun, 13 May 2007 21:21:57 -0700, Paul Rubin wrote:
> Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:
>> password_is_correct is all ASCII.
>
> How do you know that? What steps did you take to ascertain it?
Why would I care? I don't bother to check it is ASCII because it makes no
difference whether it is ASCII or not. Allowing non-ASCII chars adds no
new vulnerability. Here's your example again, modified to show what I
mean:
if user_entered_password != stored_password_from_database:
password_is_correct = False
# much code goes here...
password_is_correct = True # sneaky backdoor inserted by Black Hat
# much code goes here...
if password_is_correct:
log_user_in()
Your example was poor security in the first place, but the vulnerability
doesn't come from the name of the identifier. It comes from the algorithm
you used.
--
Steven.
More information about the Python-list
mailing list