Re: Is python buffer overflow proof?

* Neil Hodgson (Tue, 04 Aug 2009 13:32:55 GMT) Thorsten Kampe: You cannot create your own buffer overflow in Python as you can in C and C++ but your code could still be vulnerable if the underlying Python construct is written in C. Python's standard library does now include unsafe

Re: Is python buffer overflow proof?

On Aug 3, 10:04 pm, sturlamolden sturlamol...@yahoo.no wrote: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. Short

Re: Is python buffer overflow proof?

On Aug 4, 6:06 am, John Nagle na...@animats.com wrote: Gabriel Genellina wrote: En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden sturlamol...@yahoo.no escribió: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you

Re: Is python buffer overflow proof?

On Mon, 03 Aug 2009 21:34:15 -0700, Paul Rubin wrote: Steven D'Aprano ste...@remove.this.cybersource.com.au writes: The Python interpreter is written in C. Python extension modules are written in C (or something similar). If you find an unprotected buffer in this C code, you can possibly

Re: Is python buffer overflow proof?

Steven D'Aprano ste...@remove.this.cybersource.com.au writes: The point is that code you write yourself can rely on pure Python to be free of buffer-overflows (for some definition of rely) rather than having to worry about managing memory yourself. Right. Basically the Python interpreter

Re: Is python buffer overflow proof?

En Tue, 04 Aug 2009 02:06:06 -0300, John Nagle na...@animats.com escribió: Gabriel Genellina wrote: En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden sturlamol...@yahoo.no escribió: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For

Re: Is python buffer overflow proof?

John Nagle wrote: A more useful question is whether the standard libraries are being run through any of the commercial static checkers for possible buffer overflows. The CPython interpreter is constantly checked with http://www.coverity.com/. Although Python is used for critical stuff at

Re: Is python buffer overflow proof?

* Jizzai (Sun, 02 Aug 2009 13:50:14 GMT) Is a _pure_ python program buffer overflow proof? You cannot create your own buffer overflow in Python as you can in C and C++ but your code could still be vulnerable if the underlying Python construct is written in C. See [1] for instance. Thorsten

Re: Is python buffer overflow proof?

Marcus Wanner wrote: On 8/3/2009 3:45 AM, Diez B. Roggisch wrote: But you can cast the resulting pointer to an array of larger size, and there you are. Ah, that makes sense. I had forgotten about ctypes.cast(). You *can* shoot yourself in the foot with Python, you just have to aim much

Re: Is python buffer overflow proof?

Thorsten Kampe: You cannot create your own buffer overflow in Python as you can in C and C++ but your code could still be vulnerable if the underlying Python construct is written in C. Python's standard library does now include unsafe constructs. import ctypes x = '1234' # Munging byte

Re: Is python buffer overflow proof?

Marcus Wanner schrieb: On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily.

Re: Is python buffer overflow proof?

On 8/3/2009 3:45 AM, Diez B. Roggisch wrote: Marcus Wanner schrieb: On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can

Re: Is python buffer overflow proof?

On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. Short answer: NO Bounds checking on sequence types is a protection

Re: Is python buffer overflow proof?

En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden sturlamol...@yahoo.no escribió: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow

Re: Is python buffer overflow proof?

On Mon, 03 Aug 2009 14:04:53 -0700, sturlamolden wrote: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. Short answer:

Re: Is python buffer overflow proof?

Steven D'Aprano ste...@remove.this.cybersource.com.au writes: The Python interpreter is written in C. Python extension modules are written in C (or something similar). If you find an unprotected buffer in this C code, you can possibly overflow this buffer. How are C extension modules

Re: Is python buffer overflow proof?

Gabriel Genellina wrote: En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden sturlamol...@yahoo.no escribió: On 2 Aug, 15:50, Jizzai jiz...@gmail.com wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs

Is python buffer overflow proof?

Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. In python, I cannot seem to find a way to define/restrict a string length. This is probably by design and raises the topic in

Re: Is python buffer overflow proof?

On 8/2/2009 9:50 AM, Jizzai wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. In python, I cannot seem to find a way to define/restrict a string length. This is

Re: Is python buffer overflow proof?

Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily. Christian -- http://mail.python.org/mailman/listinfo/python-list

Re: Is python buffer overflow proof?

On Sun, 02 Aug 2009 13:50:14 +, Jizzai wrote: Is a _pure_ python program buffer overflow proof? It's supposed to be. For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. In python, I cannot seem to find a way to

Re: Is python buffer overflow proof?

On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily. Christian I see. I