changeset 3315:e66f55d0076d

security fix: remove cracklib support from password_checker (port from 1.6)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 18 Mar 2008 22:32:25 +0100
parents 6eb96b8664b0
children 5f9ed5b4596f
files MoinMoin/config/multiconfig.py
diffstat 1 files changed, 5 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Tue Mar 18 20:58:57 2008 +0100
+++ b/MoinMoin/config/multiconfig.py	Tue Mar 18 22:32:25 2008 +0100
@@ -507,9 +507,11 @@
 
     def password_checker(username, password):
         """ Check if a password is secure enough.
-            First (and in any case), we use a built-in check to get rid of the
-            worst passwords. If there is cracklib installed, we use it for
-            additional checks.
+            We use a built-in check to get rid of the worst passwords.
+            
+            We do NOT use cracklib / python-crack here any more because it is
+            not thread-safe (we experienced segmentation faults when using it).
+
             If you don't want to check passwords, use password_checker = None.
 
             @return: None if there is no problem with the password,
@@ -537,16 +539,6 @@
                 if password in kbd or password in rev_kbd or \
                    password_lower in kbd or password_lower in rev_kbd:
                     raise ValueError("Password too easy (kbd sequence)")
-            try:
-                # to use advanced checking, you need to install python-crack,
-                # cracklib-runtime (dict processing) and do not forget to
-                # initialize the crack dicts!
-                import crack
-                # instead of some "old password" we give the username to check
-                # whether the password is too similar to the username
-                crack.VeryFascistCheck(password, username) # raises ValueError on bad passwords
-            except ImportError:
-                pass
             return None
         except ValueError, err:
             return str(err)