This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gvanrossum
Recipients barry, gvanrossum, terry.reedy
Date 2008-08-01.23:41:11
SpamBayes Score 0.00167837
Marked as misclassified No
Message-id <>
> 3. Google considered this enough of a potential problem to pre-emptively
> fix it.  Now that that problem has been publicly exposed, other careful
> users will expect it to be fixed and will find Python more attractive
> when it has been.
> If this is included in the next betas, the announcement of such might
> say so and encourage re users to re-run any re-based test code.

I should add that the protection this offers is against attempts to
cause crashes by passing bad RE "bytecode" into the _sre.compile().

It is not possibly to generate such bad RE "bytecode" by writing an evil
regular expression; you must have access to the _sre module in order to
be able to exploit this vulnerability.  In other words, the
vulnerability is equivalent to having ctypes accessible.

Thus, only people who are worried about malicious use of ctypes should
be worried about this vulnerability.  Google's App Engine is one of
those (rare) places, since it lets anybody run their Python code in a
Google datacenter.  If you offer the ability to run arbitrary Python
code to strangers, you should worry about this.  Otherwise, there is no
reason to worry.
Date User Action Args
2008-08-01 23:41:14gvanrossumsetrecipients: + gvanrossum, barry, terry.reedy
2008-08-01 23:41:14gvanrossumsetmessageid: <>
2008-08-01 23:41:13gvanrossumlinkissue3487 messages
2008-08-01 23:41:12gvanrossumcreate