On 09Apr2019 0925, Victor Stinner wrote:
This change makes the debug build ABI closer to the release build ABI,
but I am not sure how to compare these two ABI. Technically, C
extensions still need to be recompiled.
What do you think?
What are the other changes that would be required? And is
Thanks for the replies. Anything I don't comment on means that I agree
with you :)
On 05Apr2019 0900, Victor Stinner wrote:
Honestly, I'm not sure that we really have to distinguish "user error" and
"internal error". It's an old debate about calling abort()/DebugBreak() or
not. It seems like
I would recommend fixing it since it's potentially remote code execution on
systems like Redis (latest versions of Redis have this mitigated) though I
must admit I don't fully understand the complexity since there are multiple
issues linked. Go was also assigned a CVE for linked issue and it
On 05Apr2019 0936, Victor Stinner wrote:
For the PyMainConfig structure idea, I cannot comment at this point. I
need more time to think about it.
About the "path configuration" fields, maybe a first step to enhance
the API would be to add the the following function:
PyInitError
On 05Apr2019 0912, Victor Stinner wrote:
About PyPreConfig and encodings.
[...]
* ``PyInitError Py_PreInitialize(const PyPreConfig *config)``
* ``PyInitError Py_PreInitializeFromArgs( const PyPreConfig *config,
int argc, char **argv)``
* ``PyInitError Py_PreInitializeFromWideArgs( const
On 05Apr2019 0922, Victor Stinner wrote:
While there are supporters of an "isolated Python" (sometimes called
"system python"), the fact that it doesn't exist in any Linux distribution
nor on any other operating system (Windows, macOS, FreeBSD), whereas it's
already doable in Python 3.6 with
On Tue, Apr 9, 2019 at 4:45 PM Karthikeyan wrote:
> I would recommend fixing it since it's potentially remote code execution
> on systems like Redis (latest versions of Redis have this mitigated) though
> I must admit I don't fully understand the complexity since there are
> multiple issues
Thanks Gregory. I think it's a good tradeoff to ensure this validation only
for URLs of http scheme.
I also agree handling newline is little problematic over the years and the
discussion over the level at which validation should occur also prolongs
some of the patches.
Hi,
In May 2017, user "Orange" found a vulnerability in the urllib fix for
CVE-2016-5699 (HTTP Header Injection vulnerability):
https://bugs.python.org/issue30458
It allows to inject arbitrary HTTP headers.
Copy of their message:
"""
Hi, the patch in CVE-2016-5699 can be broke by an addition
Hi,
When Python is built in debug mode, PyObject gets 2 new fields:
_ob_prev and _ob_next. These fields change the offset of following
fields in the PyObject structure and so breaks the ABI.
I propose to modify the debug build (Py_DEBUG) to no longer imply
Py_TRACE_REFS. Antoine Pitrou proposed
10 matches
Mail list logo
