[Python-checkins] r73156 - peps/trunk/pep-0383.txt
R. David Murray
rdmurray at bitdance.com
Tue Jun 2 23:35:37 CEST 2009
On Tue, 2 Jun 2009 at 23:00, martin.v.loewis wrote:
> Author: martin.v.loewis
> Date: Tue Jun 2 23:00:50 2009
> New Revision: 73156
>
> Log:
> Add discussion of security issues.
>
>
> Modified:
> peps/trunk/pep-0383.txt
>
> Modified: peps/trunk/pep-0383.txt
> ==============================================================================
> --- peps/trunk/pep-0383.txt (original)
> +++ peps/trunk/pep-0383.txt Tue Jun 2 23:00:50 2009
> @@ -104,6 +104,17 @@
> Data obtained from other sources may conflict with data produced
> by this PEP. Dealing with such conflicts is out of scope of the PEP.
>
> +This PEP allows to "smuggle" bytes in character strings. This would
allows the possibility of "smuggling"
> +be a security risk if the bytes are security-critical when interpreted
> +as characters on a target system, such as path name separators. For
> +this reason, the PEP rejects smuggling bytes below 128. If the target
> +system uses EBCDIC, such smuggled bytes may still a security risk,
may still be a
> +allowing to smuggle, e.g. square brackets or the backslash. Python
allowing smuggling of
> +currently does not support EBCDIC, so this should not be a problem in
> +practice. Anybody porting Python to an EBCDIC system might want to
> +adjust the error handlers, or come up with other approaches to address
> +the security risks.
> +
> Encodings that are not compatible with ASCII are not supported by
> this specification; bytes in the ASCII range that fail to decode
> will cause an exception. It is widely agreed that such encodings
> _______________________________________________
> Python-checkins mailing list
> Python-checkins at python.org
> http://mail.python.org/mailman/listinfo/python-checkins
>
More information about the Python-checkins
mailing list