[issue43882] [security] urllib.parse should sanitize urls containing ASCII newline and tabs.

2021-05-04 Thread Seth Michael Larson 


Seth Michael Larson  added the comment:

Leaving a thought here, I'm highlighting that we're now implementing two 
different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to 
doing so as now a strict URL parser for RFC 3986 (like the one used by 
urllib3/requests) will give different results compared to Python and thus opens 
up the door for SSRF vulnerabilities [1].

[1]: 
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

--
nosy: +sethmlarson

___
Python tracker 
<https://bugs.python.org/issue43882>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29704] Can't read data from Transport after asyncio.SubprocessStreamProtocol closes

2017-03-02 Thread Seth Michael Larson 

Changes by Seth Michael Larson <sethmichaellar...@protonmail.com>:


--
components: +asyncio
nosy: +gvanrossum
type:  -> behavior

___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29704>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29704] Can't read data from Transport after asyncio.SubprocessStreamProtocol closes

2017-03-02 Thread Seth Michael Larson 

New submission from Seth Michael Larson:

Copied from https://github.com/python/asyncio/issues/484

"""
>From https://bugs.python.org/issue23242#msg284930

The following script is used to reproduce the bug:

import asyncio

async def execute():
process = await asyncio.create_subprocess_exec(
"timeout", "0.1", "cat", "/dev/urandom", stdout=asyncio.subprocess.PIPE)

while True:
data = await process.stdout.read(65536)
print('read %d bytes' % len(data))
if data:
await asyncio.sleep(0.3)
else:
break

asyncio.get_event_loop().run_until_complete(execute())

will produce following output and terminate with exception:

read 65536 bytes
read 65536 bytes
Traceback (most recent call last):
  File "read_subprocess.py", line 18, in 
asyncio.get_event_loop().run_until_complete(execute())
  File "/usr/lib/python3.6/asyncio/base_events.py", line 466, in 
run_until_complete
return future.result()
  File "read_subprocess.py", line 9, in execute
data = await process.stdout.read(65536)
  File "/usr/lib/python3.6/asyncio/streams.py", line 634, in read
self._maybe_resume_transport()
  File "/usr/lib/python3.6/asyncio/streams.py", line 402, in 
_maybe_resume_transport
self._transport.resume_reading()
  File "/usr/lib/python3.6/asyncio/unix_events.py", line 401, in resume_reading
self._loop._add_reader(self._fileno, self._read_ready)
AttributeError: 'NoneType' object has no attribute '_add_reader'

When the process exits 
https://github.com/python/asyncio/blob/master/asyncio/unix_events.py#L444 is 
called which sets this._loop = None
Next time read() is called on the pipe the above exception is thrown.
I have tried to fix this issue myself but would sometimes have read terminate 
too early and miss the last chunks of data.
"""

- BotoX

--
messages: 288839
nosy: SethMichaelLarson, yselivanov
priority: normal
pull_requests: 337
severity: normal
status: open
title: Can't read data from Transport after asyncio.SubprocessStreamProtocol 
closes

___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29704>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29091] Python 3.5+ socket.socketpair fallback incorrectly implemented

2016-12-28 Thread Seth Michael Larson 

Seth Michael Larson added the comment:

Sorry for making noise, yes I was using the implementation in Python 2.x. I 
will do better investigation in the future.

--

___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29091>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29091] Python 3.5+ socket.socketpair fallback incorrectly implemented

2016-12-27 Thread Seth Michael Larson 

New submission from Seth Michael Larson:

The socket.socketpair() fallback for Python 3.5+ is incorrectly implemented 
from the original source. The fallback doesn't provide a backlog argument to 
the lsock.listen() function call.

When running the function it gives the following error:
`TypeError: listen() takes exactly one argument (0 given)`

Issue can be seen here on line 514: 
https://hg.python.org/cpython/file/3.6/Lib/socket.py

Should add 1 as the argument to listen() to bring the implementation in line 
with the source implementation at: https://gist.github.com/geertj/4325783

--
components: Library (Lib)
messages: 284158
nosy: SethMichaelLarson
priority: normal
severity: normal
status: open
title: Python 3.5+ socket.socketpair fallback incorrectly implemented
type: behavior
versions: Python 3.5, Python 3.6, Python 3.7

___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29091>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com