Message 277334 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	JohnLeitch, christian.heimes, eryksun, steve.dower, tim.golden, zach.ware
Date	2016-09-24.20:58:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1474750709.28.0.712071365473.issue24201@psf.upfronthosting.co.za>
In-reply-to

Content
I think this requires arbitrary code execution as a minimum - there's no way anyone would pass a user-provided value here - so the security implications are less interesting. All we can really do is restrict the types accepted here, which I don't think is appropriate in a maintenance release. Possibly it's not too late to deprecate in 3.6 for removal in 3.8, but it is certainly a documented feature. Checking a handle for validity is not part of user mode API, as far as I know - EAFP.

I think this requires arbitrary code execution as a minimum - there's no way anyone would pass a user-provided value here - so the security implications are less interesting.

All we can really do is restrict the types accepted here, which I don't think is appropriate in a maintenance release. Possibly it's not too late to deprecate in 3.6 for removal in 3.8, but it is certainly a documented feature. Checking a handle for validity is not part of user mode API, as far as I know - EAFP.

History
Date	User	Action	Args
2016-09-24 20:58:29	steve.dower	set	recipients: + steve.dower, christian.heimes, tim.golden, zach.ware, eryksun, JohnLeitch
2016-09-24 20:58:29	steve.dower	set	messageid: <1474750709.28.0.712071365473.issue24201@psf.upfronthosting.co.za>
2016-09-24 20:58:29	steve.dower	link	issue24201 messages
2016-09-24 20:58:28	steve.dower	create