Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

del password and python string objects #187

Closed
jeffmallozzi opened this issue Jul 28, 2021 · 1 comment · Fixed by #190
Closed

del password and python string objects #187

jeffmallozzi opened this issue Jul 28, 2021 · 1 comment · Fixed by #190
Labels
bug

Comments

@jeffmallozzi
Copy link

in html_roles_fetcher.py, line 132, and other places there is:

password = '###################################################'
del password

I believe that this is an attempt to overwrite the user's password in memory before deleting it from memory, a belt and suspenders approach. However I don't think this accomplishes what is intended.

In Python strings are immutable so in the first line:

password = '###################################################'

Python is creating a new string object in a new memory location and reassigning the name 'password' to that new object. Then

del password

is destroying that new string object. The old string object, containing the user's password, has now been left to the garbage collector to take care of. It has not been overwritten nor explicitly destroyed with 'del'.
pdecat added a commit that referenced this issue Sep 21, 2021
@pdecat
Properly erase password from memory (resolves #187)
92ba75a
@pdecat pdecat mentioned this issue Sep 21, 2021
Merged
@pdecat
Copy link
Collaborator

pdecat commented Sep 21, 2021

Indeed, submitted #190 to resolve this.

pdecat added a commit that referenced this issue Sep 21, 2021
@pdecat
Properly erase password from memory (resolves #187)
7f30067
pdecat added a commit that referenced this issue Sep 21, 2021
@pdecat
Properly erase password from memory (resolves #187)
3bba587
pdecat added a commit that referenced this issue Sep 21, 2021
@pdecat
Properly erase password from memory (resolves #187)
d40d4af
@pdecat pdecat added the bug label Sep 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly erase password from memory venth/aws-adfs
2 participants
@pdecat @jeffmallozzi