Message 311562 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	josh.r
Recipients	hadimene, josh.r
Date	2018-02-03.17:20:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1517678441.02.0.467229070634.issue32757@psf.upfronthosting.co.za>
In-reply-to

Content
A server that exposes arbitrary exec's to user-submitted data can already be controlled. exec can do anything that Python can do, that's the whole point. Sure, crashing Python is bad, but it could also keep Python alive and start dumping the database to arbitrary people, deleting files, etc. Also, your Proof of Concept code is cluttered with pointless garbage AFAICT. Do you really need all the unused multiline strings to trigger this?

A server that exposes arbitrary exec's to user-submitted data can already be controlled. exec can do anything that Python can do, that's the whole point. Sure, crashing Python is bad, but it could also keep Python alive and start dumping the database to arbitrary people, deleting files, etc.

Also, your Proof of Concept code is cluttered with pointless garbage AFAICT. Do you really need all the unused multiline strings to trigger this?

History
Date	User	Action	Args
2018-02-03 17:20:41	josh.r	set	recipients: + josh.r, hadimene
2018-02-03 17:20:41	josh.r	set	messageid: <1517678441.02.0.467229070634.issue32757@psf.upfronthosting.co.za>
2018-02-03 17:20:41	josh.r	link	issue32757 messages
2018-02-03 17:20:40	josh.r	create