Victor Stinner wrote: > Le jeudi 24 mars 2011 à 13:22 +0100, M.-A. Lemburg a écrit : >> BTW: Why do you think that %.100s is not supported in >> PyErr_Format() in Python 2.x ? PyString_FromFormatV() >> does support this. The change to use Unicode error strings >> introduced the problem, since PyUnicode_FromFormatV() for >> some reason ignores the precision (which is shouldn't). > > Oh... You are right, it is a regression in Python 3. We started to write > unit tests for PyBytes_FromFormat() and PyUnicode_FromFormat(), I hope > that they will improve the situation. > >> That said, it's a good idea to add the #7330 fix >> to at least Python 2.7 as well, since ignoring the precision >> is definitely a bug. It may even be security relevant, since >> it could be used for DOS attacks on servers (e.g. causing them >> to write huge strings to log files instead of just a few >> hundreds bytes per message), so may even need to go into Python 2.6. > > Python 2 is not affected because PyErr_Format() uses > PyString_FromFormatV() which supports precision for %s format (e.g. > %.100s truncate the string to 100 bytes).
Right, but the PyUnicode_FromFormatV() which ignores the precision is still present in Python 2.6 and 2.7, even though it is not used by PyErr_Format(). > Do you think that Python 3.1-3.3 should be fixed? Yes, indeed. The above mentioned security threat is real. The CPython code only has a few cases where this could be use for a DOS (e.g. in the pickle module or the AST code), but since this function is used in 3rd party extensions, those are affected indirectly as well. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 30 2011) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com