Author xtreak
Recipients eric.smith, serhiy.storchaka, vstinner, xtreak
Date 2018-12-22.17:17:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1545499029.66.0.0770528567349.issue35560@roundup.psfhosted.org>
In-reply-to
Content
> This bug is not new, and this is the first report for it. It can be treated as a security issue if an application allows user to specify format string. But using a format string from untrusted source causes a security issue itself, because this allows to spend memory and CPU time for creating an arbitrary large string object. Also, unlikely debug builds be used in production.

My initial thought was that since the assert failed it has exposed some bug or behavior change. Also I didn't know release builds remove assert statements. Since it's a case of debug build being a problem I agree with you that impact is low since it shouldn't be used in production.

> I would backport the solution of this issue to 3.6, but it is not bad if it will be not backported. I think this is not a release blocker.

Thanks, I have created a PR with tests https://github.com/python/cpython/pull/11288 . For some reason it's not linked to the issue.
History
Date User Action Args
2018-12-22 17:17:10xtreaksetrecipients: + xtreak, vstinner, eric.smith, serhiy.storchaka
2018-12-22 17:17:09xtreaksetmessageid: <1545499029.66.0.0770528567349.issue35560@roundup.psfhosted.org>
2018-12-22 17:17:09xtreaklinkissue35560 messages
2018-12-22 17:17:09xtreakcreate