This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author larry
Recipients brett.cannon, larry, ncoghlan, pdmccormick, serhiy.storchaka, yselivanov, zach.ware
Date 2015-04-23.09:20:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1429780846.08.0.683307329201.issue23967@psf.upfronthosting.co.za>
In-reply-to
Content 
It's only used for signatures in builtins.  Any possible security hole here is uninteresting because the evil hacker already got to run arbitrary C code in the module init.

Because it's only used for signatures in builtins, we shouldn't encounter a function with a mutable default value like {} or [] which gets mutated later.  Builtins don't have those.

In case you're wondering about the "trusted" parameter, that was suggested by Nick Coghlan at the PyCon sprints.  He's thinking that other callers may use _signature_fromstr() in the future, and he wanted the API to make it clear that future uses may be on non-trustworthy sources.

And, finally, consider that the original version already calls eval(). Admittedly it uses eval() in a way that should be much harder to exploit.  But it's not an enormous difference between the two calls.

I don't really think we need to post to python-dev about this.
History
Date User Action Args
2015-04-23 09:20:46larrysetrecipients: + larry, brett.cannon, ncoghlan, zach.ware, serhiy.storchaka, yselivanov, pdmccormick
2015-04-23 09:20:46larrysetmessageid: <1429780846.08.0.683307329201.issue23967@psf.upfronthosting.co.za>
2015-04-23 09:20:46larrylinkissue23967 messages
2015-04-23 09:20:45larrycreate