Password validation security issue
Chris Angelico
rosuav at gmail.com
Sat Mar 1 13:43:33 EST 2014
On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase <python.list at tim.thechases.com> wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>
> if hash(provided_password) == existing_hash:
> do_magic()
>
> into just
>
> if True:
> do_magic()
>
> and re-running the program.
They don't necessarily have to have the ability to edit the file.
Based on the original description, the problem is that if Python
running as that user can read the file (to run it), then so can
anything else running as that user. Python doesn't need to be able to
change the file.
ChrisA
More information about the Python-list
mailing list