Message242006
Right, Larry and I had a fairly long discussion about this idea at the sprints, and I was satisfied that all the cases where he's proposing to use this are safe: in order to exploit them you need to be able to set __text_signature__ on arbitrary objects, and if an attacker can do that, you've already lost control of the process.
However, a natural future extension is to expose this as a public alternative constructor for Signature objects, and for that, the fact that it ultimately calls eval() under the hood presents more of a security risk. The "trusted=False" default on _signature_fromstr allows the function to be used safely on untrusted data, while allowing additional flexibility when you *do* trust the data you're evaluating. |
|
Date |
User |
Action |
Args |
2015-04-25 08:02:33 | ncoghlan | set | recipients:
+ ncoghlan, brett.cannon, larry, zach.ware, serhiy.storchaka, yselivanov, pdmccormick |
2015-04-25 08:02:33 | ncoghlan | set | messageid: <1429948953.75.0.431828168547.issue23967@psf.upfronthosting.co.za> |
2015-04-25 08:02:33 | ncoghlan | link | issue23967 messages |
2015-04-25 08:02:33 | ncoghlan | create | |
|