Message 70606 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gvanrossum
Recipients	barry, gvanrossum, terry.reedy
Date	2008-08-01.23:41:11
SpamBayes Score	0.0016783652
Marked as misclassified	No
Message-id	<1217634074.5.0.121809023326.issue3487@psf.upfronthosting.co.za>
In-reply-to

Content
> 3. Google considered this enough of a potential problem to pre-emptively > fix it. Now that that problem has been publicly exposed, other careful > users will expect it to be fixed and will find Python more attractive > when it has been. > > If this is included in the next betas, the announcement of such might > say so and encourage re users to re-run any re-based test code. I should add that the protection this offers is against attempts to cause crashes by passing bad RE "bytecode" into the _sre.compile(). It is not possibly to generate such bad RE "bytecode" by writing an evil regular expression; you must have access to the _sre module in order to be able to exploit this vulnerability. In other words, the vulnerability is equivalent to having ctypes accessible. Thus, only people who are worried about malicious use of ctypes should be worried about this vulnerability. Google's App Engine is one of those (rare) places, since it lets anybody run their Python code in a Google datacenter. If you offer the ability to run arbitrary Python code to strangers, you should worry about this. Otherwise, there is no reason to worry.

> 3. Google considered this enough of a potential problem to pre-emptively
> fix it.  Now that that problem has been publicly exposed, other careful
> users will expect it to be fixed and will find Python more attractive
> when it has been.
> 
> If this is included in the next betas, the announcement of such might
> say so and encourage re users to re-run any re-based test code.

I should add that the protection this offers is against attempts to
cause crashes by passing bad RE "bytecode" into the _sre.compile().

It is not possibly to generate such bad RE "bytecode" by writing an evil
regular expression; you must have access to the _sre module in order to
be able to exploit this vulnerability.  In other words, the
vulnerability is equivalent to having ctypes accessible.

Thus, only people who are worried about malicious use of ctypes should
be worried about this vulnerability.  Google's App Engine is one of
those (rare) places, since it lets anybody run their Python code in a
Google datacenter.  If you offer the ability to run arbitrary Python
code to strangers, you should worry about this.  Otherwise, there is no
reason to worry.

History
Date	User	Action	Args
2008-08-01 23:41:14	gvanrossum	set	recipients: + gvanrossum, barry, terry.reedy
2008-08-01 23:41:14	gvanrossum	set	messageid: <1217634074.5.0.121809023326.issue3487@psf.upfronthosting.co.za>
2008-08-01 23:41:13	gvanrossum	link	issue3487 messages
2008-08-01 23:41:12	gvanrossum	create