What are the internals of Pythons str.join()? (Hiding passwords from output) -


i stumbled upon interesting(?) way hide passwords (and other personal data) general output screen logfiles.

in book how make mistakes in python mike pirnat suggests implement class sensitive strings , overload __str__- , __repr__-methods.

i experimented , got this:

class secret(str):      def __init__(self, s):         self.string = s      def __repr__(self):         return "'" + "r"*len(self.string) + "'"      def __str__(self):         return "s" * len(self.string)      def __add__(self, other):         return str.__add__(self.__str__(), other)      def __radd__(self, other):         return str.__add__(other, self.__str__())      def __getslice__(self, i, j):         return ("x"*len(self.string))[i:j]

(i'm aware using len provides information content hide. it's testing.)

it works fine in cases:

pwd = secret("nothidden")  print("the passwort " + pwd)                  # passwort sssssssss print(pwd + " passwort.")                 # sssssssss password.  print("the passwort {}.".format(pwd))         # password sssssssss. print(["the", "passwort", "is", pwd])            # ['the', 'password', 'is', 'rrrrrrrrr'] print(pwd[:])                                    # xxxxxxxxx

however not work:

print(" ".join(["the", "password", "is", pwd]))  # password nothidden

so, how str.join() work internally? method have overload obscure string?

the issue inheriting str, implements __new__ means though avoided calling parent constructor in class, underlying c object still initialized it.

now join checking if has str subclass and, being implemented in c, access directly underlying c structure, or uses other str-related function bypasses __str__ , __repr__ (think it: if value string or string subclass, why code call __str__ or __repr__ obtain value? accesses underlying character array in way!)

to fix this: not inherit str! unfortunately means not able use object string in situations, that's pretty inevitable.

an alternative may work implement __new__ , feed different value str's __new__ method:

class secret(str):     def __new__(cls, initializer):         return super(secret, cls).__new__(cls, 'x'*len(initializer))     def __init__(self, initializer):         self.text = initializer     def __repr__(self):         return "'{}'".format("r"*len(self))     def __str__(self):         return "s"*len(self)     def __add__(self, other):         return str(self) + other     def __radd__(self, other):         return other + str(self)

which results in:

in [19]: pwd = secret('nothidden')  in [20]: print("the passwort " + pwd)                  # passwort sssssssss     ...: print(pwd + " passwort.")                 # sssssssss password.     ...:      ...: print("the passwort {}.".format(pwd))         # password sssssssss.     ...: print(["the", "passwort", "is", pwd])            # ['the', 'password', 'is', 'rrrrrrrrr']     ...: print(pwd[:]) passwort sssssssss sssssssss passwort. passwort sssssssss. ['the', 'passwort', 'is', 'rrrrrrrrr'] xxxxxxxxx  in [21]: print(" ".join(["the", "password", "is", pwd])) password xxxxxxxxx

however fail see how useful. mean: purpose of class avoid programming errors end display sensitive information? having exception being triggered better can identify bugs! it's best raise notimplementederror inside __str__ , __repr__ instead of silently provided useless value... sure don't leak secret finding bugs becomes hard.


Comments

Post a Comment

Popular posts from this blog

php - How to add and update images or image url in Volusion using Volusion API -

actually have store importing products store product data insert , update image or image url not insert , update. this xml code name datapro.txt. <products_joined> <productcode>3710_012t</productcode> <vendor_partno>eah5450silent/di/1gd3(lp)</vendor_partno> <productname>test product ta</productname> <hideproduct>n</hideproduct> <stockstatus>20</stockstatus> <lastmodified>1/5/2016 10:25:00 am</lastmodified> <lastmodby>2</lastmodby> <productweight>0.9</productweight> <productprice>100</productprice> <productmanufacturer>asus tek</productmanufacturer> <vendor_price>32.69</vendor_price> <numproductssharingstock>0</numproductssharingstock> <categoryids>107</categoryids> <producturl>http://tebkq.mvlce.servertrust.com/productdetails.asp?productcode=3710_012t</producturl...
Read more

Laravel mail error `Swift_TransportException in StreamBuffer.php line 269: Connection could not be established with host smtp.gmail.com [ #0]` -

i developing website contact-us page guest users can send me email using gmail . anytime try send mail using contact-us form, error swift_transportexception in streambuffer.php line 269: connection not established host smtp.gmail.com [ #0] this mail.php return [ 'driver' => env('mail_driver', 'smtp'), 'host' => env('mail_host', 'smtp.gmail.com'), 'port' => 587, 'from' => ['address' => '', 'name' => ''], 'encryption' => env('mail_encryption', 'tls'), 'username' => env('mail_username'), 'password' => env(mail_password), 'sendmail' => '/usr/sbin/sendmail -bs', 'pretend' => env('mail_pretend', false), ]; this .env mail_driver=smtp mail_host=smtp.gmail.com mail_port=587 mail_username=afecjaped@gmail.com mail_password=********...
Read more

c# SetCompatibleTextRenderingDefault must be called before the first -

i tried search exception couldn't find solution on case i'am using code below invoke .net application : assembly assem = assembly.load(data); methodinfo method = assem.entrypoint; var o = activator.createinstance(method.declaringtype); method.invoke(o, null); the application invoked has form , in entrypoint of application : [stathread] static void main() { application.enablevisualstyles(); application.setcompatibletextrenderingdefault(false); //exception application.run(new form1()); } setcompatibletextrenderingdefault must called before first iwin32window object created in application. edit : assembly = assembly.load(data); methodinfo method = a.gettype().getmethod("start"); var o = activator.createinstance(method.declaringtype); method.invoke(o, null); you should create new method skips initialization...
Read more