Message232694
I'd be much worried about attack scenarios if this function was part of the standard library. But it's not -- the stdlib's % operator uses completely different code. The most common use case is probably to generate error messages from extension modules -- and there the format is almost always a literal in the C code. (An adversary who can load a C extension doesn't need this exploit.) |
|
Date |
User |
Action |
Args |
2014-12-16 01:09:09 | gvanrossum | set | recipients:
+ gvanrossum, georg.brandl, vstinner, serhiy.storchaka, Guido |
2014-12-16 01:09:08 | gvanrossum | set | messageid: <1418692148.99.0.110209252903.issue23055@psf.upfronthosting.co.za> |
2014-12-16 01:09:08 | gvanrossum | link | issue23055 messages |
2014-12-16 01:09:08 | gvanrossum | create | |
|