-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Withers wrote: > Martin v. Löwis wrote: >> Martin v. Löwis <mar...@v.loewis.de> added the comment: >> >>> So all Chris has to do to get this applied to 2.5 is craft an exploit based >>> on the current behavior, right? ;-) >> Right :-) Of course, security patches should see a much more careful >> review than regular bug fixes. > > Well, it's funny you say that, since where I bumped into this, the bug > was effectively DOS'ing a couple of mailservers as a result of > mailinglogger sending out log entries of uncaught exceptions such as > this and so emitting 100Mb emails whenever the foreign server chose not > to deliver the whole chunk requested...
If it is possible for a hostile outsider to trigger the DOS by sending mail to be processed by an application using the library, and the application can't avoid the DOS without ditching / forking / monkeypatching the library, then I would call the bug a "security bug", period. As for backward compatibility: any application which is depending on getting arbitrarily-long lines in its logfile is already insane, and should be scrapped. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJsJOB+gerLs4ltQ4RAva/AKC2Ta0edNMxMLxXQM6+WsB4AKo10QCdFF58 ghfy8pT6VlrO0z0QoXnjL7o= =9lCT -----END PGP SIGNATURE----- _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
