[Python-Dev] PyErr_Format security note

Christian Tismer tismer@appliedbiometrics.com
Mon, 15 Nov 1999 18:02:20 +0100

Guido van Rossum wrote:
> > I noticed this in PyErr_Format(exception, format, va_alist):
> >
> >       char buffer[500]; /* Caller is responsible for limiting the format */
> >       ...
> >       vsprintf(buffer, format, vargs);
> >
> > Making the caller responsible for this is error-prone.
> Agreed.  The limit of 500 chars, while technically undocumented, is
> part of the specs for PyErr_Format (which is currently wholly
> undocumented).  The current callers all have explicit precautions, but
> of course I agree that this is a potential danger.

All but one (checked them all):
In ceval.c, function call_builtin, there is a possible security hole.
If an extension module happens to create a very long type name
(maybe just via a bug), we will crash.

	PyErr_Format(PyExc_TypeError, "call of non-function (type %s)",
	return NULL;

ciao - chris

Christian Tismer             :^)   <mailto:tismer@appliedbiometrics.com>
Applied Biometrics GmbH      :     Have a break! Take a ride on Python's
Kaiserin-Augusta-Allee 101   :    *Starship* http://starship.python.net
10553 Berlin                 :     PGP key -> http://wwwkeys.pgp.net
PGP Fingerprint       E182 71C7 1A9D 66E9 9D15  D3CC D4D7 93E2 1FAE F6DF
     we're tired of banana software - shipped green, ripens at home