Message 232694 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gvanrossum
Recipients	Guido, georg.brandl, gvanrossum, serhiy.storchaka, vstinner
Date	2014-12-16.01:09:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1418692148.99.0.110209252903.issue23055@psf.upfronthosting.co.za>
In-reply-to

Content
I'd be much worried about attack scenarios if this function was part of the standard library. But it's not -- the stdlib's % operator uses completely different code. The most common use case is probably to generate error messages from extension modules -- and there the format is almost always a literal in the C code. (An adversary who can load a C extension doesn't need this exploit.)

I'd be much worried about attack scenarios if this function was part of the standard library. But it's not -- the stdlib's % operator uses completely different code. The most common use case is probably to generate error messages from extension modules -- and there the format is almost always a literal in the C code. (An adversary who can load a C extension doesn't need this exploit.)

History
Date	User	Action	Args
2014-12-16 01:09:09	gvanrossum	set	recipients: + gvanrossum, georg.brandl, vstinner, serhiy.storchaka, Guido
2014-12-16 01:09:08	gvanrossum	set	messageid: <1418692148.99.0.110209252903.issue23055@psf.upfronthosting.co.za>
2014-12-16 01:09:08	gvanrossum	link	issue23055 messages
2014-12-16 01:09:08	gvanrossum	create