David Watson <bai...@users.sourceforge.net> added the comment: > baikie: Open a separated issue for the refcount error and fd leak.
OK. It does affect 2.x as well, come to think of it. > On Ubuntu, it's not possible to create an user with a non-ASCII > name: > > $ sudo adduser é --no-create-home > > adduser: To avoid problems, the username should consist only of... Well, good for Ubuntu :) But you can still add one with the lower-level useradd command, and not everyone uses Ubuntu. > Your patch latin1.diff is wrong Yes, I know it's "wrong" - I just thought of it as a stopgap measure until some sort of bytes functionality is added (since pwd already decodes everything as Latin-1, but tries to interpret backslash escapes). But yeah, if it's going to be changed later, then I suppose there's not much point. > I don't think that it can be called a "denial of service attack". It depends on how the program uses these functions. Obviously Python itself is only vulnerable to a DoS if the interpreter crashes or something, but what I'm saying is that there should be a way for Python programs to access the password database that is not subject to denial of service attacks. If someone changes their GECOS field they can make pwd.getpwall() fail for another user's program, and if the program relies on pwd.getpwall() working, then that's a DoS. _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue4859> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
