On Sun, 13 May 2007 21:21:57 -0700, Paul Rubin wrote:
> Steven D'Aprano <[EMAIL PROTECTED]> writes:
>> password_is_correct is all ASCII.
>
> How do you know that? What steps did you take to ascertain it?
Why would I care? I don't bother to check it is ASCII because it makes no
difference whether it is ASCII or not. Allowing non-ASCII chars adds no
new vulnerability. Here's your example again, modified to show what I
mean:
if user_entered_password != stored_password_from_database:
password_is_correct = False
# much code goes here...
password_is_correct = True # sneaky backdoor inserted by Black Hat
# much code goes here...
if password_is_correct:
log_user_in()
Your example was poor security in the first place, but the vulnerability
doesn't come from the name of the identifier. It comes from the algorithm
you used.
--
Steven.
--
http://mail.python.org/mailman/listinfo/python-list
