Chris Angelico added the comment:
ISTM this is a case where Python's core shouldn't be using assert. It's
possible for userland code to trigger an assertion failure, which means it
should be a regular if(..) raise. Patch attached.
@haypo, what do you mean by "fuzzing"? Is there something I've
Chris Angelico added the comment:
Oops, forgot to add a test. Using a variant of poc_getaddr.py to construct
something which fails on current CPython tip, and passes with the patch.
--
Added file: http://bugs.python.org/file40435/dont_assert_with_test.patch
Roundup Robot added the comment:
New changeset 2bff115e6ba0 by Victor Stinner in branch '3.4':
Issue #24684: socket.socket.getaddrinfo() now calls
https://hg.python.org/cpython/rev/2bff115e6ba0
New changeset 0c13674cf8b5 by Victor Stinner in branch '2.7':
Issue #24684:
STINNER Victor added the comment:
Ok, I fixed the bug in Python 2.7, 3.4, 3.5 and 3.6. (Python 2.7 was also
impacted for custom *unicode* strings.)
Thanks for your bug report paul!
> ISTM this is a case where Python's core shouldn't be using assert. It's
> possible for userland code to
paul added the comment:
@haypo:
I'd be happy to implement all my fuzzer ideas if my bugs were patched in a
timely manner.
At this moment I have multiple bugs submitted over 2 months ago, which still
aren't patched. Without patches, hackerone won't accept these issues, so my
incentive to work
STINNER Victor added the comment:
5513idna = _PyObject_CallMethodId(hobj, PyId_encode, s, idna);
5514if (!idna)
5515return NULL;
5516assert(PyBytes_Check(idna));
The assertion fails because the custom string type in poc_getaddr.py returns an
STINNER Victor added the comment:
@paul: are you fuzzing Python?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24684
___
___
Python-bugs-list
