[Python-Dev] Fuzzing bugs: most bugs are closed (original) (raw)
Guido van Rossum guido at python.org
Fri Aug 1 19:58:33 CEST 2008
- Previous message: [Python-Dev] Summary of Python tracker Issues
- Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Jul 30, 2008 at 11:17 AM, Guido van Rossum <guido at python.org> wrote:
On Mon, Jul 21, 2008 at 10:41 AM, A.M. Kuchling <amk at amk.ca> wrote:
On Mon, Jul 21, 2008 at 03:53:18PM +0000, Antoine Pitrou wrote:
The underscore at the beginning of sre clearly indicates that the module is not recommended for direct consumption, IMO. Even the functions that don't themselves start with an underscore...
Sure, but if someone is trying to break in or DoS your application server, they don't care if the module starts with an underscore or not. To answer Victor's original question: the parser & compiler that turn a regex into bytecode is written in Python. I can't think of a way to prevent other Python modules from importing sre or accessing the compile() function; if nothing else, code could always do 'import re ; re.srecompile.sre.compile(...)'. I've written a re-code verifier for the Google App Engine. I have permission to open source this, hopefully I will get to this before 2.6 beta 3.
The code is now in the bug tracker: http://bugs.python.org/issue3487
I'll hold off submitting for a while until Barry has had the time to veto it (or hopefully not :-).
-- --Guido van Rossum (home page: http://www.python.org/~guido/)
- Previous message: [Python-Dev] Summary of Python tracker Issues
- Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]