[...] > The parser module provides the low level innards of CPython's parser > (which is really nothing like ours), and the way to deal with AST going > forward is via the _ast module, which we support and was originally > added in CPython 2.5. We also support the ast (no underscore) module, as > well as the ability to pass modified/generated AST to the compile > function, which were both added in CPython 2.6''
Sigh, typical developer response, "here is our solution going forward, oh by the way it means your code is incompatible with old versions" </rant> > > The implication being that the parser module will suffer the same problems. If they can create ast they can create parser, but anyway...they won't. > > As far as I'm concerned the cure is worse than the disease and we should > just roll back > http://code.google.com/p/asciidoc/source/detail?r=66543730504e5dc07a56fcd89b238ef784cdeac4 > I'll admit I don't see it as a likely attack vector, but everybody is security consious these days so total removal might be a bad look. How does Jython report itself, I couldn't find anything in the docs on what version it reports,? Can it use the ast code in the <2.6 else clause, it appears to imply that? Or can it be identified some other way so it can fall back to an unsafe eval? Better than total removal of the security code. Cheers Lex > > Cheers, Stuart > > > >> >> Cheers >> Lex >> >>> >>> Cheers, Stuart >>> >>> >>>> >>>> Thanks. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "asciidoc" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/asciidoc?hl=en. >>> >> > > -- > You received this message because you are subscribed to the Google Groups > "asciidoc" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/asciidoc?hl=en. > -- You received this message because you are subscribed to the Google Groups "asciidoc" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/asciidoc?hl=en.
