Author scoder
Recipients James.Bailey, eli.bendersky, math_foo, r.david.murray, rhettinger, ruffsl, scoder, urule99
Date 2018-02-19.00:13:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <659EF89E-0529-4F4B-BA26-07C048B513E0@behnel.de>
In-reply-to <1518987141.37.0.467229070634.issue20928@psf.upfronthosting.co.za>
Content
> The check may miss infinite recursions if the hrefs happen to be written in non-matching but equivalent forms. Ex: relative versus absolute paths.

I thought about that, too, but it's not a real problem. There are only a few different ways to spell the same file path, and once they are through, the recursion would still be detected and never become infinite.

Admittedly, the current implementation might lower the overhead for attacks a little, but then, if an attacker can control the input anyway, then there is not really much to win by including the same file multiple times rather than including different files.

Maybe we should add a "max_depth" parameter to limit the maximum recursion depth, defaulting to e.g. 5, that users would have to pass in order to say "I know what I'm doing".

I agree with the comment about the overly restrictive global set, though. Included file paths should be collected only along an inclusion path and not across independent subtrees.
History
Date User Action Args
2018-02-19 00:13:59scodersetrecipients: + scoder, rhettinger, r.david.murray, eli.bendersky, James.Bailey, math_foo, urule99, ruffsl
2018-02-19 00:13:58scoderlinkissue20928 messages
2018-02-19 00:13:58scodercreate