Message 312333 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	scoder
Recipients	James.Bailey, eli.bendersky, math_foo, r.david.murray, rhettinger, ruffsl, scoder, urule99
Date	2018-02-19.00:13:58
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<659EF89E-0529-4F4B-BA26-07C048B513E0@behnel.de>
In-reply-to	<1518987141.37.0.467229070634.issue20928@psf.upfronthosting.co.za>

Content
> The check may miss infinite recursions if the hrefs happen to be written in non-matching but equivalent forms. Ex: relative versus absolute paths. I thought about that, too, but it's not a real problem. There are only a few different ways to spell the same file path, and once they are through, the recursion would still be detected and never become infinite. Admittedly, the current implementation might lower the overhead for attacks a little, but then, if an attacker can control the input anyway, then there is not really much to win by including the same file multiple times rather than including different files. Maybe we should add a "max_depth" parameter to limit the maximum recursion depth, defaulting to e.g. 5, that users would have to pass in order to say "I know what I'm doing". I agree with the comment about the overly restrictive global set, though. Included file paths should be collected only along an inclusion path and not across independent subtrees.

> The check may miss infinite recursions if the hrefs happen to be written in non-matching but equivalent forms. Ex: relative versus absolute paths.

I thought about that, too, but it's not a real problem. There are only a few different ways to spell the same file path, and once they are through, the recursion would still be detected and never become infinite.

Admittedly, the current implementation might lower the overhead for attacks a little, but then, if an attacker can control the input anyway, then there is not really much to win by including the same file multiple times rather than including different files.

Maybe we should add a "max_depth" parameter to limit the maximum recursion depth, defaulting to e.g. 5, that users would have to pass in order to say "I know what I'm doing".

I agree with the comment about the overly restrictive global set, though. Included file paths should be collected only along an inclusion path and not across independent subtrees.

History
Date	User	Action	Args
2018-02-19 00:13:59	scoder	set	recipients: + scoder, rhettinger, r.david.murray, eli.bendersky, James.Bailey, math_foo, urule99, ruffsl
2018-02-19 00:13:58	scoder	link	issue20928 messages
2018-02-19 00:13:58	scoder	create