Tres Seaver wrote: > Hanno Schlichting wrote: > >> Removed _filterPasswordFields hack, preventing keys with the exact >> key 'passw' to be filtered out in one place is just obscurity. > > But you didn't de-obfuscate it, you ripped it out. Now, the response > view shows credentials, which is a security hole.
Unless I've misunderstood the code this particular "feature" only worked for input fields whose name contained "passw" in some form. It didn't check on input type being password. As soon as the name is "auth" or anything else the check would fail. It also only did this filtering in the __str__ representation of the request, not the text method or any of the other methods to access the data. I call that security through obscurity. Dealing with password input type fields is something for a form library but not a request object in my book. Hanno _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
