[issue4859] pwd, spwd, grp functions vulnerable to denial of service

Martin v. Löwis added the comment: Thanks for the patches. Committed as r73015. -- resolution: -> accepted status: open -> closed ___ Python tracker ___

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

Changes by Martin v. Löwis : -- assignee: -> loewis priority: -> high ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubs

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

David Watson added the comment: Patch to make get*nam() functions encode their arguments using the file system encoding and "surrogateescape" error handler, so that they correctly handle the user/group name fields returned by each other. -- Added file: http://bugs.python.org/file14056/s

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

David Watson added the comment: Patch to make pwd, spwd and grp decode their string fields using the file system encoding and the "surrogateescape" error handler, as per PEP 383. -- Added file: http://bugs.python.org/file14055/surrogateescape-fields.diff ___

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

David Watson added the comment: > baikie: Open a separated issue for the refcount error and fd leak. OK. It does affect 2.x as well, come to think of it. > On Ubuntu, it's not possible to create an user with a non-ASCII > name: > > $ sudo adduser é --no-create-home > > adduser: To avoid probl

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

STINNER Victor added the comment: > For a system program written in Python, this > can amount to a denial of service attack, especially > if the program uses the get*all() functions I don't think that it can be called a "denial of service attack". ___ Pytho

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

STINNER Victor added the comment: About pwd, we have 7 fields: - username: the regex looks like « [a-za-z0-...@] [a-za-z0-...@\/]*$? », so it's ASCII only - password: ASCII only? on my Ubuntu, /etc/passwd uses "x" for all passwords, and /etc/shadow uses MD5 hash with a like like "$1$x6vJEXyc

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

STINNER Victor added the comment: > it's conceivable that arbitrary data could even be > placed in the username field. On Ubuntu, it's not possible to create an user with a non-ASCII name: $ sudo adduser é --no-create-home adduser: To avoid problems, the username should consist only of letter

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

STINNER Victor added the comment: baikie: Open a separated issue for the refcount error and fd leak. -- nosy: +haypo ___ Python tracker ___ __

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

Martin v. Löwis added the comment: Any decision on this issue should be deferred until a PEP has been written and accepted that decides on usage of bytes in Unix APIs. -- nosy: +loewis ___ Python tracker __

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

Changes by David Watson : Added file: http://bugs.python.org/file12623/latin1.diff ___ Python tracker ___ ___ Python-bugs-list mailing list Uns

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

Changes by David Watson : Added file: http://bugs.python.org/file12622/minor.diff ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue4859] pwd, spwd, grp functions vulnerable to denial of service

New submission from David Watson : The pwd (and spwd and grp) modules deal with data from /etc/passwd (and/or other sources) that can be supplied by users on the system. Specifically, users can often change the data in their GECOS fields without the OS requiring that it conform to a specific enc