Message 359697 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steven.daprano
Recipients	cool-RR, p-ganssle, steven.daprano
Date	2020-01-09.22:38:43
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1578609523.24.0.0880866082178.issue39280@roundup.psfhosted.org>
In-reply-to

Content
> If user code were to check for uniqueness of a datetime by comparing it as a string, this is where an attacker could fool this logic, by using a non-Ascii digit. To me, this seems like a pretty thin justification for calling this a security vulnerability. Using the exact same reasoning, one could argue that "If user code were to check for uniqueness of a float by comparing it as a string, this is where an attacker could fool this logic, by using leading or trailing spaces, extra non-significant digits, upper- or lowercase 'E', etc." py> float(" +00012.145000000000000099999e00 ") == float("12.145") True Referring specifically to strptime(), there are many format codes which break uniqueness by allowing optional leading zeroes, and month names are case insensitive e.g. %b accepts 'jAn' as well as 'Jan'. https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior As far as the inconsistency, I think that's an argument for being less strict, not more, and allowing non-ASCII digits in more places not just the first. Why shouldn't (let's say) a Bengali user specify the day of the month using Bengali digits?

> If user code were to check for uniqueness of a datetime by comparing it as a string, this is where an attacker could fool this logic, by using a non-Ascii digit.

To me, this seems like a pretty thin justification for calling this a security vulnerability.

Using the exact same reasoning, one could argue that "If user code were to check for uniqueness of a float by comparing it as a string, this is where an attacker could fool this logic, by using leading or trailing spaces, extra non-significant digits, upper- or lowercase 'E', etc."

py> float(" +00012.145000000000000099999e00 ") == float("12.145")
True

Referring specifically to strptime(), there are many format codes which break uniqueness by allowing optional leading zeroes, and month names are case insensitive e.g. %b accepts 'jAn' as well as 'Jan'.

https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior

As far as the inconsistency, I think that's an argument for being less strict, not more, and allowing non-ASCII digits in more places not just the first. Why shouldn't (let's say) a Bengali user specify the day of the month using Bengali digits?

History
Date	User	Action	Args
2020-01-09 22:38:43	steven.daprano	set	recipients: + steven.daprano, cool-RR, p-ganssle
2020-01-09 22:38:43	steven.daprano	set	messageid: <1578609523.24.0.0880866082178.issue39280@roundup.psfhosted.org>
2020-01-09 22:38:43	steven.daprano	link	issue39280 messages
2020-01-09 22:38:43	steven.daprano	create