Thread safety problem

[GoogleCodeExporter]

Hello!

I have nothing to do with python, but stumbled over this code.

The pybc_bcrypt function is not threadsafe, as it uses a static buffer 
('encrypted') as the returnvalue.

As a consequence I think that the 

        Py_BEGIN_ALLOW_THREADS;
        ret = pybc_bcrypt(password_copy, salt_copy);
        Py_END_ALLOW_THREADS;

code can produce invalid results when called from multiple threads.
Best solution should be to pass the result buffer as an additional parameter.

Best regards
Sönke

Original issue reported on code.google.com by xgcs...@gmail.com on 15 Jan 2013 at 12:02

[GoogleCodeExporter]

Fixed in py-bcrypt-0.3. I apologise for noticing your bug about 30 minutes 
after I made the release.

It turned out that it may have been possible to bypass authentication by 
arranging for threads to write over the shared data.

Original comment by d...@djm.net.au on 18 Mar 2013 at 9:20

• Changed title: Thread safety problem
• Changed state: Fixed
• Added labels: Priority-Critical
• Removed labels: Priority-Medium