Message255400
We all know that blindly inserting external data into a database can be a bad idea. But raising ValueError if the data contains \n barely scratches the surface of a real defense. The external data should be checked before passing it to .add_section or as part of a derived method in a subclass. I already suggested the possibility of allowing only a restricted set of letter characters. Such a check comes after defending against the possibility of someone submitting 'a'*1000000 as, in this case, a section name.
configparser is permissive by design, not by accident. The un-abbreviated verbose re for ConfigParser.SECTCRE say so.
(?P<header>[^]]+) # very permissive! |
|
Date |
User |
Action |
Args |
2015-11-26 04:56:36 | terry.reedy | set | recipients:
+ terry.reedy, vstinner, r.david.murray, lukasz.langa, spaceone |
2015-11-26 04:56:36 | terry.reedy | set | messageid: <1448513796.66.0.0259403187575.issue25723@psf.upfronthosting.co.za> |
2015-11-26 04:56:36 | terry.reedy | link | issue25723 messages |
2015-11-26 04:56:35 | terry.reedy | create | |
|