New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth bypass when using an optimised build #102

passcod opened this Issue Jan 10, 2018 · 1 comment


None yet
2 participants
Copy link

passcod commented Jan 10, 2018

Similar to this:

Oh, this is glorious: pysaml2 library uses an assert statement to check & reject users who use the wrong password; however when running with the optimiser enabled, all assert statements are stripped… so: anyone can log into anything with any password.

In here:

username, password = decoded.split(':')
assert username == conf.api_user
assert password == conf.api_key

This comment has been minimized.

@alfredodeza alfredodeza self-assigned this Jan 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment