[Python-Dev] Fuzzing bugs: most bugs are closed
Guido van Rossum
guido at python.org
Fri Aug 1 19:58:33 CEST 2008
On Wed, Jul 30, 2008 at 11:17 AM, Guido van Rossum <guido at python.org> wrote:
> On Mon, Jul 21, 2008 at 10:41 AM, A.M. Kuchling <amk at amk.ca> wrote:
>> On Mon, Jul 21, 2008 at 03:53:18PM +0000, Antoine Pitrou wrote:
>>> The underscore at the beginning of _sre clearly indicates that the module is
>>> not recommended for direct consumption, IMO. Even the functions that don't
>>> themselves start with an underscore...
>>
>> Sure, but if someone is trying to break in or DoS your application
>> server, they don't care if the module starts with an underscore or
>> not.
>>
>> To answer Victor's original question: the parser & compiler that turn
>> a regex into bytecode is written in Python. I can't think of a way to
>> prevent other Python modules from importing _sre or accessing the
>> compile() function; if nothing else, code could always do 'import re ;
>> re.sre_compile._sre.compile(...)'.
>
> I've written a re-code verifier for the Google App Engine. I have
> permission to open source this, hopefully I will get to this before
> 2.6 beta 3.
The code is now in the bug tracker: http://bugs.python.org/issue3487
I'll hold off submitting for a while until Barry has had the time to
veto it (or hopefully not :-).
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list