[Python-Dev] Python security team (original) (raw)
Josiah Carlson josiah.carlson at gmail.com
Mon Sep 29 22:44:16 CEST 2008
- Previous message: [Python-Dev] Python security team
- Next message: [Python-Dev] Python security team
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gnewsg at gmail.com> wrote:
On 27 Set, 20:04, "Josiah Carlson" <josiah.carl... at gmail.com> wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stin... at haypocalc.com> wrote: > Second, I would like to help to fix all Python security issues. It looks like > Python community isn't very reactive (proactive?) about security. Eg. a DoS > was reported in smtpd server (integrated to Python)... 15 months ago. A patch > is available but it's not applied in Python trunk. The smtpd module is not meant to be used without modification. It is the responsibility of the application writer to decide the limitations of the emails they want to allow sending, and subsequently handle the case where emails overrun that limit. The issue does not concern the emails but the buffer used internally to store the received raw data sent by client. The user who wants to fix the issue (#1745035) should override the collectincomingdata method which is usually not meant to be modified. Moreover, there are two RFCs which state that extremely long lines must be truncated and an error reply must be returned.
We can and should discuss the specifics of this item in the bug report itself. I should have replied there instead.
- Josiah
- Previous message: [Python-Dev] Python security team
- Next message: [Python-Dev] Python security team
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]