[Twisted-Python] Re: [Twisted-commits] InMemoryUsernamePasswordDatabaseDontUse didn't raise the error properly when the password was wrong

Itamar Shtull-Trauring itamar at itamarst.org
Sun Sep 28 20:46:23 EDT 2003

On Sun, 28 Sep 2003 20:31:16 -0400
Jp Calderone <exarkun at intarweb.us> wrote:

>   In this case, that means the client is able to discern between
>   invalid
> usernames and invalid passwords, which would be a serious problem, if
> we were talking about anything other than InMemoryUsernamePassword-
> DatabaseDontUse.  As it is, I think
> InMemoryUsernamePasswordDatabaseDontUse should intentionally reveal
> even more information about why the login failed(making it more useful
> for debugging and less useful for production), and the difference
> between returning a Failure constructed from an exception and raising
> an exception in a callback be spelled out explicitly somewhere.  Who
> knows when the difference will be forgotten and something
> unintentionally revealed, as it was in
> InMemoryUsernamePasswordDatabaseDontUse?

I don't think PB failures should sent *ANY* traceback info. In fact, I
can't figure out how to prevent that from happening even on a case by
case basis.

Itamar Shtull-Trauring    http://itamarst.org/
Available for Python & Twisted consulting

More information about the Twisted-Python mailing list