[New-bugs-announce] [issue25723] ConfigParser should never write broken configurations
SpaceOne
report at bugs.python.org
Tue Nov 24 10:31:44 EST 2015
New submission from SpaceOne:
>>> from configparser import ConfigParser
>>> from io import StringIO
>>> from configparser import ConfigParser
>>> c = ConfigParser()
>>> c.add_section('foo]\nbar=baz\n[bar')
>>> fd = StringIO()
>>> c.write(fd)
>>> print(fd.getvalue())
[foo]
bar=baz
[bar]
User input should always be validated.
At least a ValueError should be raised if add_section() is called with a string containing anything like ']\x00\n[' or any other non-printable string. As this will always create a broken configuration or might lead to ini-injections.
Otherwise ConfigParser cannot be used to write new config files without having deeper knowledge about the implementation.
See also:
http://bugs.python.org/issue23301
http://bugs.python.org/issue20923
----------
components: Library (Lib)
messages: 255270
nosy: spaceone
priority: normal
severity: normal
status: open
title: ConfigParser should never write broken configurations
type: behavior
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25723>
_______________________________________
More information about the New-bugs-announce
mailing list