[New-bugs-announce] [issue25723] ConfigParser should never write broken configurations

SpaceOne report at bugs.python.org
Tue Nov 24 10:31:44 EST 2015

New submission from SpaceOne:

>>> from configparser import ConfigParser
>>> from io import StringIO
>>> from configparser import ConfigParser
>>> c = ConfigParser()
>>> c.add_section('foo]\nbar=baz\n[bar')
>>> fd = StringIO()
>>> c.write(fd)
>>> print(fd.getvalue())

User input should always be validated.

At least a ValueError should be raised if add_section() is called with a string containing anything like ']\x00\n[' or any other non-printable string. As this will always create a broken configuration or might lead to ini-injections.

Otherwise ConfigParser cannot be used to write new config files without having deeper knowledge about the implementation.

See also:

components: Library (Lib)
messages: 255270
nosy: spaceone
priority: normal
severity: normal
status: open
title: ConfigParser should never write broken configurations
type: behavior
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list