On Mon, Jan 27, 2014 at 5:38 PM, Antoine Pitrou <solip...@pitrou.net> wrote:
>
> I would say not backport at all. The security threat is highly
> theoretical. If someone blindly accepts user values for repeat(), the
> user value can just as well be a very large positive with similar
> effects (e.g. 2**31).
>
I can not comment about whether this is security issue or not. But the
effect of large positive number is not similar to the effect of
unlimited repetitions.
>>> from itertools import repeat
>>> list(repeat('a', 2**31))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
>>> list(repeat('a', 2**99))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: Python int too large to convert to C ssize_t
>>> list(repeat('a', times=-1))
...this freezes my computer...
That is why I prefer we backport the fix (either partial or full). If
not, giving a big warning in the documentation should suffice.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
