Message 255442 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	spaceone
Recipients	lukasz.langa, r.david.murray, spaceone, terry.reedy, vstinner
Date	2015-11-27.00:18:55
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1448583536.11.0.677634335358.issue25723@psf.upfronthosting.co.za>
In-reply-to

Content
Of course both of you have reasonable arguments. For compatibility with overridden SECTRE attributes it should not raise ValueError for characters like [ and ]. (too bad that SECTRE is a public attribute otherwise it could also be used to validate the name (SECTRE.match('[%s]')). What if somebody changed SECTRE to multiline? Then even rejecting '\n' would break compatibility. But: How often does this happen? In open source projects it seems none. A nullege.com and google search exposed that no project does this. Terry, I completely agree with your argument "that blindly inserting external input into a database is bad idea". But in the real world it happens that there are many applications out which doesn't validate what they pass into .add_section(). (Do you want me to give you a list of python projects which are either broken or vulnerable?). In my opinion this is dangerous, as well as not validating HTTP/Mail/MIME headers for such characters and so on. What's the goal of python here? Giving programmers nice utilities which have security considerations in its software design by default or giving everything up to the programmer which is forced to never trust the stdlib and always have to read the source code it uses? As I understand when I read the documentation is that config parser is loosely based on M$ INI files and as the name says it is for configuration files. Usually(!) configuration files are human readable files editable with an editor. Disallowing non-printable characters would have been the best option in the first release of config parser. From my experience it is good to restrict things from the beginning and make them overrideable to be more relaxed if this is really needed. And regarding issue20923: I think it would be a great feature to include the code change instead of changing the documentation. In my research about add_section() I found some projects which uses URI's as section name. As you know the WWW is evolving and actually http://[::1]/ is a valid URI nowadays. If this would be changed these implementations will not have to overwrite SECTRE in the future and they also won't run into that bug one day. I adapted my commit to only disallow \r \n and \x00. [ ] are allowed for customization of SECTRE. https://github.com/spaceone/cpython/commit/a0cdb85e4c7c4dd71a87b1f6c4d9d92ece2dde15

Of course both of you have reasonable arguments.
For compatibility with overridden SECTRE attributes it should not raise ValueError for characters like [ and ]. (too bad that SECTRE is a public attribute otherwise it could also be used to validate the name (SECTRE.match('[%s]')). What if somebody changed SECTRE to multiline? Then even rejecting '\n' would break compatibility.
But: How often does this happen? In open source projects it seems none. A nullege.com and google search exposed that no project does this.

Terry, I completely agree with your argument "that blindly inserting external input into a database is bad idea". But in the real world it happens that there are many applications out which doesn't validate what they pass into .add_section(). (Do you want me to give you a list of python projects which are either broken or vulnerable?). In my opinion this is dangerous, as well as not validating HTTP/Mail/MIME headers for such characters and so on.
What's the goal of python here? Giving programmers nice utilities which have security considerations in its software design by default or giving everything up to the programmer which is forced to never trust the stdlib and always have to read the source code it uses?

As I understand when I read the documentation is that config parser is loosely based on M$ INI files and as the name says it is for configuration files. Usually(!) configuration files are human readable files editable with an editor. Disallowing non-printable characters would have been the best option in the first release of config parser.
From my experience it is good to restrict things from the beginning and make them overrideable to be more relaxed if this is really needed.

And regarding issue20923: I think it would be a great feature to include the code change instead of changing the documentation. In my research about add_section() I found some projects which uses URI's as section name. As you know the WWW is evolving and actually http://[::1]/ is a valid URI nowadays. If this would be changed these implementations will not have to overwrite SECTRE in the future and they also won't run into that bug one day.

I adapted my commit to only disallow \r \n and \x00. [ ] are allowed for customization of SECTRE.
https://github.com/spaceone/cpython/commit/a0cdb85e4c7c4dd71a87b1f6c4d9d92ece2dde15

History
Date	User	Action	Args
2015-11-27 00:18:56	spaceone	set	recipients: + spaceone, terry.reedy, vstinner, r.david.murray, lukasz.langa
2015-11-27 00:18:56	spaceone	set	messageid: <1448583536.11.0.677634335358.issue25723@psf.upfronthosting.co.za>
2015-11-27 00:18:56	spaceone	link	issue25723 messages
2015-11-27 00:18:55	spaceone	create