A wipe() method that mutates a string while it can still be referenced elsewhere is unacceptable -- it breaks an abstraction that is widely assumed.
Chris's proposal can be implemented, it would set a hidden flag. Hopefully there's room for the flag without increasing the object header size. On Fri, Jun 22, 2018 at 5:46 PM Chris Angelico <ros...@gmail.com> wrote: > On Sat, Jun 23, 2018 at 10:31 AM, Ezequiel Brizuela [aka EHB or > qlixed] <qli...@gmail.com> wrote: > > I propose to make the required changes on the string objects to add an > > option to overwrite the underlying buffer. To do so: > > > > * Add a wiped as an attribute that is read-only to be set when the > string > > is overwrited. > > * Add a wipe() method that overwrite the internal string buffer. > > Since strings are immutable, it's entirely possible for them to be > shared in various ways. Having the string be wiped while still > existing seems to be a risky approach. > > > So this will work like this: > > > >>>> pwd =getpass.getpass('Set your password:') # could be other sensitive > >>>> data. > >>>> encrypted_pwd = crypt.crypt(pwd) # crypt() just as example. > >>>> pwd.wiped # Check if pwd was wiped. > > False > >>>> pwd.wipe() # Overwrite the underlying buffer > >>>> pwd.wiped # Check if pwd was wiped. > > True > >>>> print(pwd) # Print noise (or empty str?) > >>>> del pwd # Now is in hands of the GC. > > Would it suffice to flag the string as "this contains sensitive data, > please overwrite its buffer when it gets deallocated"? The only > difference, in your example, would be that the last print would show > the original data, and the wipe would happen afterwards. Advantages of > this approach include that getpass can automatically flag the string > as sensitive, and the "sensitive" flag can infect other strings (so > <<pwd + "x">> would be automatically flagged to be wiped). Downside: > You can't say "I'm done with this string, destroy it immediately". > > ChrisA > _______________________________________________ > Python-ideas mailing list > Python-ideas@python.org > https://mail.python.org/mailman/listinfo/python-ideas > Code of Conduct: http://python.org/psf/codeofconduct/ > -- --Guido van Rossum (python.org/~guido)
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/