Home Original page

bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests by serhiy-storchaka · Pull Request #22566 · python/cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

serhiy-storchaka

vstinner

elif csetval >= 0x100:
csetch = bytes([(csetval >> 8), (csetval & 0xff)])
else:
assert data[0][:2] == '0x'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest something like:

if not data[0].startswith('0x'):
    self.fail(f"Invalid line: {line!r}")

vstinner

Copy link

Member

@vstinner vstinner left a comment

LGTM.

Tests still pass with this change:

grep -l multibytecodec_support Lib/test/*py > tests
./python -m test -u all --fromfile=tests -j0 -v

The-Compiler added a commit to The-Compiler/cpython that referenced this issue

Oct 6, 2020 
…UnicodeNames tests

Similarly to pythonGH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

@miss-islington

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this issue

Oct 6, 2020 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

@bedevere-bot

miss-islington pushed a commit to miss-islington/cpython that referenced this issue

Oct 6, 2020 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

@bedevere-bot

miss-islington added a commit that referenced this issue

Oct 6, 2020 
…CJK codec tests (GH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

@miss-islington

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒⛏🤖

@miss-islington

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

@bedevere-bot

@bedevere-bot

miss-islington pushed a commit to miss-islington/cpython that referenced this issue

Oct 6, 2020 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

miss-islington pushed a commit to miss-islington/cpython that referenced this issue

Oct 6, 2020 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

vstinner pushed a commit that referenced this issue

Oct 6, 2020 
…CJK codec tests (GH-22566) (GH-22577)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

vstinner pushed a commit that referenced this issue

Oct 6, 2020 
…UnicodeNames tests (GH-22575)

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

TomMD pushed a commit to TomMD/cpython that referenced this issue

Oct 8, 2020 
…CJK codec tests (pythonGH-22566) (cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

shihai1991 added a commit to shihai1991/cpython that referenced this issue

Oct 9, 2020 
* origin/master: (147 commits)
  Fix the attribute names in the docstring of GenericAlias (pythonGH-22594)
  bpo-39337: Add a test case for normalizing of codec names (pythonGH-19069)
  bpo-41557: Update Windows installer to use SQLite 3.33.0 (pythonGH-21960)
  bpo-41976: Fix the fallback to gcc of ctypes.util.find_library when using gcc>9 (pythonGH-22598)
  bpo-41306: Allow scale value to not be rounded (pythonGH-21715)
  bpo-41970: Avoid test failure in test_lib2to3 if the module is already imported (pythonGH-22595)
  bpo-41376: Fix the documentation of `site.getusersitepackages()` (pythonGH-21602)
  Revert "bpo-26680: Incorporate is_integer in all built-in and standard library numeric types (pythonGH-6121)" (pythonGH-22584)
  bpo-41923: PEP 613: Add TypeAlias to typing module (python#22532)
  Fix comment about PyObject_IsTrue. (pythonGH-22343)
  bpo-38605: Make 'from __future__ import annotations' the default (pythonGH-20434)
  bpo-41905: Add abc.update_abstractmethods() (pythonGH-22485)
  bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (pythonGH-22575)
  bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (pythonGH-22566)
  Post 3.10.0a1
  Python 3.10.0a1
  bpo-41584: clarify when the reflected method of a binary arithemtic operator is called (python#22505)
  bpo-41939: Fix test_site.test_license_exists_at_url() (python#22559)
  bpo-41774: Tweak new programming FAQ entry (pythonGH-22562)
  bpo-41936. Remove macros Py_ALLOW_RECURSION/Py_END_ALLOW_RECURSION (pythonGH-22552)
  ...

xzy3 pushed a commit to xzy3/cpython that referenced this issue

Oct 18, 2020

xzy3 pushed a commit to xzy3/cpython that referenced this issue

Oct 18, 2020 
…UnicodeNames tests (pythonGH-22575)

Similarly to pythonGH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

ned-deily pushed a commit that referenced this issue

Oct 20, 2020 
…CJK codec tests (GH-22566) (GH-22578)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

ned-deily pushed a commit that referenced this issue

Oct 20, 2020 
…CJK codec tests (GH-22566) (GH-22579)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

gentoo-bot pushed a commit to gentoo/cpython that referenced this issue

Dec 14, 2020 
…CJK codec tests (pythonGH-22566) (pythonGH-22579)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>