[Python-Dev] Replace useless %.100s by %s in PyErr_Format()
Victor Stinner
victor.stinner at haypocalc.com
Fri Mar 25 00:21:25 CET 2011
More information about the Python-Dev mailing list
Fri Mar 25 00:21:25 CET 2011
- Previous message: [Python-Dev] Replace useless %.100s by %s in PyErr_Format()
- Next message: [Python-Dev] Replace useless %.100s by %s in PyErr_Format()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le jeudi 24 mars 2011 à 13:22 +0100, M.-A. Lemburg a écrit : > BTW: Why do you think that %.100s is not supported in > PyErr_Format() in Python 2.x ? PyString_FromFormatV() > does support this. The change to use Unicode error strings > introduced the problem, since PyUnicode_FromFormatV() for > some reason ignores the precision (which is shouldn't). Oh... You are right, it is a regression in Python 3. We started to write unit tests for PyBytes_FromFormat() and PyUnicode_FromFormat(), I hope that they will improve the situation. > That said, it's a good idea to add the #7330 fix > to at least Python 2.7 as well, since ignoring the precision > is definitely a bug. It may even be security relevant, since > it could be used for DOS attacks on servers (e.g. causing them > to write huge strings to log files instead of just a few > hundreds bytes per message), so may even need to go into Python 2.6. Python 2 is not affected because PyErr_Format() uses PyString_FromFormatV() which supports precision for %s format (e.g. %.100s truncate the string to 100 bytes). Do you think that Python 3.1-3.3 should be fixed? Let's begin by closing #10833 as invalid. Victor
- Previous message: [Python-Dev] Replace useless %.100s by %s in PyErr_Format()
- Next message: [Python-Dev] Replace useless %.100s by %s in PyErr_Format()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list