Message4279
OK the first patch is in.
Small change to file479 pbkdf2.patch: We still accept plaintext
passwords (in known_schemes) when parsing encrypted password (e.g. from
database). This way existing databases with plaintext passwords
continue to work (I don't know of any, this would need patching on the
users side) and all regression tests pass.
Does anybody think this is a security issue (I don't, you'll have to be
quite creative to use plaintext storage)?
Concerning the second patch:
- This breaks some of the regression tests, notably import/export
(only for mysql, and memorydb and not always, seems to be an issue
with sorting and since the sort order changes it doesn't happen
everytime), needs further work to make sure we don't try to convert
the string in the journal to a Password instance.
- It has a small bug for anydbm, we want the obscured value in the
journal, not in the user instance (!), patch attached.
- after applying the anydbm fix, the regression test for Import/Export
also fails for memorydb (but interestingly *not* for anydbm).
I'll further look into this when time permits, just documenting
everything here in case someone else wants to contribute. |
|
Date |
User |
Action |
Args |
2011-04-14 12:44:54 | schlatterbeck | set | messageid: <1302785094.94.0.117978561449.issue2550688@psf.upfronthosting.co.za> |
2011-04-14 12:44:54 | schlatterbeck | set | recipients:
+ schlatterbeck, richard, ber, joseph_myers, elic |
2011-04-14 12:44:54 | schlatterbeck | link | issue2550688 messages |
2011-04-14 12:44:54 | schlatterbeck | create | |
|