[Python-Dev] Replace useless %.100s by %s in PyErr_Format()

M.-A. Lemburg mal at egenix.com
Wed Mar 30 22:06:31 CEST 2011 

Victor Stinner wrote:
> Le jeudi 24 mars 2011 à 13:22 +0100, M.-A. Lemburg a écrit :
>> BTW: Why do you think that %.100s is not supported in
>> PyErr_Format() in Python 2.x ? PyString_FromFormatV()
>> does support this. The change to use Unicode error strings
>> introduced the problem, since PyUnicode_FromFormatV() for
>> some reason ignores the precision (which is shouldn't).
> 
> Oh... You are right, it is a regression in Python 3. We started to write
> unit tests for PyBytes_FromFormat() and PyUnicode_FromFormat(), I hope
> that they will improve the situation.
> 
>> That said, it's a good idea to add the #7330 fix
>> to at least Python 2.7 as well, since ignoring the precision
>> is definitely a bug. It may even be security relevant, since
>> it could be used for DOS attacks on servers (e.g. causing them
>> to write huge strings to log files instead of just a few
>> hundreds bytes per message), so may even need to go into Python 2.6.
> 
> Python 2 is not affected because PyErr_Format() uses
> PyString_FromFormatV() which supports precision for %s format (e.g.
> %.100s truncate the string to 100 bytes).

Right, but the PyUnicode_FromFormatV() which ignores
the precision is still present in Python 2.6 and 2.7,
even though it is not used by PyErr_Format().

> Do you think that Python 3.1-3.3 should be fixed?

Yes, indeed. The above mentioned security threat is real.

The CPython code only has a few cases where this could be use
for a DOS (e.g. in the pickle module or the AST code), but
since this function is used in 3rd party extensions,
those are affected indirectly as well.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 30 2011)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list