[Python-Dev] PyErr_Format security note
Jim Fulton
jim@digicool.com
Mon, 15 Nov 1999 11:56:38 -0500
"Andrew M. Kuchling" wrote:
>
> Guido van Rossum writes:
> >Assuming that Linux and Solaris have vsnprintf(), can't we just use
> >the configure script to detect it, and issue a warning blaming the
> >platform for those platforms that don't have it? That seems much
>
> But people using an already-installed Python binary won't see any such
> configure-time warning, and won't find out about the potential
> problem. Plus, how do people fix the problem on platforms that don't
> have vsnprintf() -- switch to Solaris or Linux? Not much of a
> solution. (vsnprintf() isn't ANSI C, though it's a common extension,
> so platforms that lack it aren't really deficient.)
>
> Hmm... could we maybe use Python's existing (string % vars) machinery?
> <think think> No, that seems to be hard, because it would want
> PyObjects, and we can't know what Python types to convert the varargs
> to, unless we parse the format string (at which point we may as well
> get a vsnprintf() implementation.
It's easy. You use two format strings. One a Python string format,
and the other a Py_BuildValue format. See my other note.
Jim
--
Jim Fulton mailto:jim@digicool.com Python Powered!
Technical Director (888) 344-4332 http://www.python.org
Digital Creations http://www.digicool.com http://www.zope.org
Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission. Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.