On Feb 5, 2008 4:02 PM, Amaury Forgeot d'Arc <[EMAIL PROTECTED]> wrote: > Guido van Rossum wrote: > > Thanks Amaury! Do you think it would be sufficient to change the > > PyString_Check() call in PyEval_EvalCodeEx into a > > PyString_CheckExact() call? > > This would prevent this "attack", but would remain fragile - future > developments could allow execution of python code somewhere. > > > Or is the proper fix to incref the values > > going into the kw array and decref them upon exit? > > Yet Another Kind Of Tuple... However this seems the correct thing to do.
Agreed. > In addition, if we agree to restrict arguments names to str (and > disallow subclasses), there are easy optimizations in > PyEval_EvalCodeEx, somewhere around the "XXX slow" comment (!) Do you think you have time to come up with a patch? If not, can you file a bug for this so we won't forget? -- --Guido van Rossum (home page: http://www.python.org/~guido/) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
