On Wed, 2006-01-11 at 14:54 +0100, Thomas Wouters wrote: > On Wed, Jan 11, 2006 at 07:59:50AM -0500, Barry Warsaw wrote: > > > BTW, although I'm pretty sure the answer is "no" (at least, I hope it > > is), is anyone aware of a situation where the mere importation of a > > module can cause Python to crash? > > Well, I assume you aren't importing any 'hostile' code, nor running in an > uncontrolled environment so I guess you mean other than running out of > memory, or the module you are importing actually executing one of the ways > to crash Python?
Correct. > Or the module being an extension module that crashes on > import? Or another extension module having corrupted the Python environment > to a point where a simple import crashes Python? Or a non-extension module > using one of the vulnerabilities (in, say, marshal, or pickle) to corrupt > the Python environment? Or stuff in os.environ, like LD_* variables, that > interfere with library linking? Ponder, ponder, no, can't think of any. :) Let's keep it to modules in the standard library, although that includes extension modules, and let's further say that it's a controlled enough environment that you won't have stray evil modules floating around in your sys.path. > The pickle vulnerability came up last year, when someone on #python was > subclassing a builtin type (string or dict, I think the latter) that was > using a magical invocation of (IIRC) __new__ on unpickle. The subclassed > __new__ didn't handle this right, so the baseclass __new__ wasn't getting > called right, and the new object's addressspace was not initialized. This > lead to crashes. I don't remember the details exactly, and my continuous > advice of not subclassing builtin types unless you know what you're doing > solved the issue (there was no actual need to subclass, there), and I have > no idea whether that specific issue was solved or not, but I'm trying to > find it again :) -Barry
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com