This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Don't allow non-Ascii digits in platform.py
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.9
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: Nosy List: cool-RR, ezio.melotti, mark.dickinson, steve.dower, vstinner, xiang.zhang
Priority: normal Keywords: patch

Created on 2020-01-09 21:02 by cool-RR, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 17928 closed cool-RR, 2020-01-09 21:05
PR 17931 closed cool-RR, 2020-01-09 22:02
Messages (9)
msg359694 - (view) Author: Ram Rachum (cool-RR) * Date: 2020-01-09 21:02
The platform.py module takes non-Ascii digits in regexes in places it shouldn't. e.g. digits like ٢ and 5 and accepted, when only the Ascii digits between 0-9 should be accepted.
msg359719 - (view) Author: Ezio Melotti (ezio.melotti) * (Python committer) Date: 2020-01-10 11:30
Can you elaborate on the rational for this proposed change?  I'm not sure if there cases where the digits are non-ASCII, but if there are, is rejecting them the right thing to do?
In the code there's a comment that mentions that the Windows version can be localized, so if the version number uses non-ASCII digits and we change the regex to only accept [0-9], those version strings won't be accepted/recognized anymore.
msg359720 - (view) Author: Ram Rachum (cool-RR) * Date: 2020-01-10 11:37
My approach is that any input that's unexpected by the developer but accepted by the program could cause either a bug or a security problem, and should be rejected by the program. I don't have a specific example for this case.

If you think I need to come up with a specific example where this can be misused, or show that there are no computers in the world that willingly use the version number with non-Ascii digits, I'll let this issue go.
msg360534 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2020-01-23 03:30
I can't understand the rational for rejecting localized digits though I don't know who will use them in practise. I'd rather fix it until there is a real problem with it.
msg360541 - (view) Author: Ezio Melotti (ezio.melotti) * (Python committer) Date: 2020-01-23 04:52
Do you know/can you verify if Chinese versions of Windows/Linux/MacOS  include non-ASCII version numbers (e.g. fullwidth digits)?
msg360547 - (view) Author: Mark Dickinson (mark.dickinson) * (Python committer) Date: 2020-01-23 07:55
> If you think I need to come up with a specific example where this can be misused

I think so, yes. :-)

We shouldn't change this (and risk other breakage) without evidence that there's an actual problem.
msg360550 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2020-01-23 10:55
@Ezio, at least for my config they are all ASCII digits. But still I don't think there is any rush to change current behaviour.
msg361109 - (view) Author: Ram Rachum (cool-RR) * Date: 2020-01-31 14:40
Hey Victor, adding you here. This ticket is a continuation of the thread on the Python security mailing list. I see that there isn't a consensus here for changing from \d to [0-9]. Can you make a decision on whether to go ahead with this issue or not? Otherwise we can close it, and the corresponding PR.
msg361381 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-02-05 00:04
Without a source stating that version numbers will only ever contain ASCII digits (or a real-world counterexample), I see no reason to make a change here.

Thanks for working on this, Ram!
History
Date User Action Args
2022-04-11 14:59:25adminsetgithub: 83460
2020-02-05 00:04:34steve.dowersetstatus: open -> closed

nosy: + steve.dower
messages: + msg361381

resolution: rejected
stage: patch review -> resolved
2020-01-31 14:40:02cool-RRsetnosy: + vstinner
messages: + msg361109
2020-01-23 10:55:42xiang.zhangsetmessages: + msg360550
2020-01-23 07:55:43mark.dickinsonsetnosy: + mark.dickinson
messages: + msg360547
2020-01-23 04:52:33ezio.melottisetmessages: + msg360541
2020-01-23 03:30:55xiang.zhangsetnosy: + xiang.zhang
messages: + msg360534
2020-01-10 11:37:43cool-RRsetmessages: + msg359720
2020-01-10 11:30:41ezio.melottisetnosy: + ezio.melotti
messages: + msg359719
2020-01-09 22:02:25cool-RRsetpull_requests: + pull_request17336
2020-01-09 21:05:51cool-RRsetkeywords: + patch
stage: patch review
pull_requests: + pull_request17335
2020-01-09 21:02:11cool-RRcreate