This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author terry.reedy
Recipients lukasz.langa, r.david.murray, spaceone, terry.reedy, vstinner
Date 2015-11-26.04:56:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1448513796.66.0.0259403187575.issue25723@psf.upfronthosting.co.za>
In-reply-to
Content 
We all know that blindly inserting external data into a database can be a bad idea.  But raising ValueError if the data contains \n barely scratches the surface of a real defense.  The external data should be checked before passing it to .add_section or as part of a derived method in a subclass.  I already suggested the possibility of allowing only a restricted set of letter characters.  Such a check comes after defending against the possibility of someone submitting 'a'*1000000 as, in this case, a section name.

configparser is permissive by design, not by accident.  The un-abbreviated verbose re for ConfigParser.SECTCRE say so.
  (?P<header>[^]]+) # very permissive!
History
Date User Action Args
2015-11-26 04:56:36terry.reedysetrecipients: + terry.reedy, vstinner, r.david.murray, lukasz.langa, spaceone
2015-11-26 04:56:36terry.reedysetmessageid: <1448513796.66.0.0259403187575.issue25723@psf.upfronthosting.co.za>
2015-11-26 04:56:36terry.reedylinkissue25723 messages
2015-11-26 04:56:35terry.reedycreate