Author steve.dower
Recipients JohnLeitch, christian.heimes, eryksun, steve.dower, tim.golden, zach.ware
Date 2016-09-24.20:58:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1474750709.28.0.712071365473.issue24201@psf.upfronthosting.co.za>
In-reply-to
Content
I think this requires arbitrary code execution as a minimum - there's no way anyone would pass a user-provided value here - so the security implications are less interesting.

All we can really do is restrict the types accepted here, which I don't think is appropriate in a maintenance release. Possibly it's not too late to deprecate in 3.6 for removal in 3.8, but it is certainly a documented feature. Checking a handle for validity is not part of user mode API, as far as I know - EAFP.
History
Date User Action Args
2016-09-24 20:58:29steve.dowersetrecipients: + steve.dower, christian.heimes, tim.golden, zach.ware, eryksun, JohnLeitch
2016-09-24 20:58:29steve.dowersetmessageid: <1474750709.28.0.712071365473.issue24201@psf.upfronthosting.co.za>
2016-09-24 20:58:29steve.dowerlinkissue24201 messages
2016-09-24 20:58:28steve.dowercreate