[Twisted-Python] Re: [Twisted-commits] InMemoryUsernamePasswordDatabaseDontUse didn't raise the error properly when the password was wrong
Itamar Shtull-Trauring
itamar at itamarst.org
Sun Sep 28 18:46:23 MDT 2003
On Sun, 28 Sep 2003 20:31:16 -0400
Jp Calderone <exarkun at intarweb.us> wrote:
> In this case, that means the client is able to discern between
> invalid
> usernames and invalid passwords, which would be a serious problem, if
> we were talking about anything other than InMemoryUsernamePassword-
> DatabaseDontUse. As it is, I think
> InMemoryUsernamePasswordDatabaseDontUse should intentionally reveal
> even more information about why the login failed(making it more useful
> for debugging and less useful for production), and the difference
> between returning a Failure constructed from an exception and raising
> an exception in a callback be spelled out explicitly somewhere. Who
> knows when the difference will be forgotten and something
> unintentionally revealed, as it was in
> InMemoryUsernamePasswordDatabaseDontUse?
I don't think PB failures should sent *ANY* traceback info. In fact, I
can't figure out how to prevent that from happening even on a case by
case basis.
--
Itamar Shtull-Trauring http://itamarst.org/
Available for Python & Twisted consulting
More information about the Twisted-Python
mailing list