PEP 3131: Supporting Non-ASCII Identifiers

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Tue May 15 05:33:56 EDT 2007


On Sun, 13 May 2007 21:21:57 -0700, Paul Rubin wrote:

> Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:
>> password_is_correct is  all ASCII.
> 
> How do you know that?  What steps did you take to ascertain it?

Why would I care? I don't bother to check it is ASCII because it makes no 
difference whether it is ASCII or not. Allowing non-ASCII chars adds no 
new vulnerability. Here's your example again, modified to show what I 
mean:


if user_entered_password != stored_password_from_database:
    password_is_correct = False
    # much code goes here...
    password_is_correct = True  # sneaky backdoor inserted by Black Hat
    # much code goes here...
if password_is_correct:
    log_user_in()

Your example was poor security in the first place, but the vulnerability 
doesn't come from the name of the identifier. It comes from the algorithm 
you used.


-- 
Steven.




More information about the Python-list mailing list