Re: [Django Code] #3316: Adding `crypt' to list of password hashes for legacy apps.

Fri, 09 Mar 2007 21:15:13 -0800 

#3316: Adding `crypt' to list of password hashes for legacy apps.
-----------------------------+----------------------------------------------
   Reporter:  [EMAIL PROTECTED]  |                Owner:  adrian           
     Status:  new            |            Component:  Contrib apps     
    Version:  SVN            |           Resolution:                   
   Keywords:                 |                Stage:  Ready for checkin
  Has_patch:  1              |           Needs_docs:  1                
Needs_tests:  1              |   Needs_better_patch:  0                
-----------------------------+----------------------------------------------
Changes (by mtredinnick):

  * stage:  Design decision needed => Ready for checkin

Comment:

 Simon, your dynamic import approach is dangerous for just the reasons you
 suggest: you are trusting externally supplied data as part of the security
 path. History suggests that as smart as programmers are, debugging is
 twice as hard and we will miss some sneaky way of smuggling in a bad
 import or having the bad import used in combination with a compromised
 machine to capture passwords (I have no idea how, but that's the point --
 we can't think of everything). White-listing the permitted methods,
 whether through if...elif blocks or a list is the safer way.
 
 I don't think the if...elif sequence is that bad. We need to have slightly
 different actions in each case and it's only around a dozen lines for the
 whole block. The alternative would be to look up the method in a table and
 dispatch to a separate function each time, which will end up with even
 more lines of code and harder to read. If that if-block gets to twice the
 size, we think of splitting it up. For now, I'm not unhappy with this.
 
 I'm pretty happy with the patch. I'll apply it when I get a chance.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/3316#comment:7>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to