Chris Angelico writes: > Python source code is not user input though. So there has to be a way > for someone to attack a Python-based service, like attacking a web app > by sending HTTP requests to it.
Not sure what your point is. Of course there has to be a vector. But as a Mailman developer, I can assure you that there are Python programs facing the web that accept HTTP requests and SMTP messages, and process the content, which could be anything an attacker wants it to be. I can't recall any CVEs that we could trace to Python (rather than our code :-/), but Mailman can be and has been attacked. I can imagine that if there was an RCE vulnerability in Python or a C module we use, Mailman would be a top candidate for a workable exploit because of the amount of processing of user-supplied text we must do. (Don't worry about me, I sleep well anyway. Python is pretty bullet-proof IMO ;-) Did I completely misunderstand you, or the previous posters? Steve _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ZMUQOAVBGYYNFDGQ3JIIRKXEAYXR6XAH/ Code of Conduct: http://python.org/psf/codeofconduct/
