Author gvanrossum
Recipients Guido, georg.brandl, gvanrossum, serhiy.storchaka, vstinner
Date 2014-12-16.01:09:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1418692148.99.0.110209252903.issue23055@psf.upfronthosting.co.za>
In-reply-to
Content
I'd be much worried about attack scenarios if this function was part of the standard library. But it's not -- the stdlib's % operator uses completely different code. The most common use case is probably to generate error messages from extension modules -- and there the format is almost always a literal in the C code. (An adversary who can load a C extension doesn't need this exploit.)
History
Date User Action Args
2014-12-16 01:09:09gvanrossumsetrecipients: + gvanrossum, georg.brandl, vstinner, serhiy.storchaka, Guido
2014-12-16 01:09:08gvanrossumsetmessageid: <1418692148.99.0.110209252903.issue23055@psf.upfronthosting.co.za>
2014-12-16 01:09:08gvanrossumlinkissue23055 messages
2014-12-16 01:09:08gvanrossumcreate