[Python-Dev] Security implications of pep 383
Michael Foord
michael at voidspace.org.uk
Tue Mar 29 20:23:25 CEST 2011
Hey all,
Not sure how real the security risk is here:
http://blog.omega-prime.co.uk/?p=107
Basically he is saying that if you store a list of blacklisted files
with names encoded in big-5 (or some other non-utf8 compatible encoding)
if those names are passed at the command line, or otherwise read in and
decoded from an assumed-utf8 source with surrogate escaping, the
surrogate escape decoded names will not match the properly decoded
blacklisted names.
All the best,
Michael Foord
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing http://www.sqlite.org/different.html
More information about the Python-Dev
mailing list