[Python-Dev] Fuzzing bugs: most bugs are closed

Antoine Pitrou solipsis at pitrou.net
Mon Jul 21 17:53:18 CEST 2008

Victor Stinner <victor.stinner <at> haypocalc.com> writes:
> Le Monday 21 July 2008 15:33:19 A.M. Kuchling, vous avez écrit :
> > On Sun, Jul 20, 2008 at 10:45:39PM +0200, Victor Stinner wrote:
> > > Hum... how can I say it? It's trivial to crash _sre  So I blacklisted
> > > _sre.compile() in my fuzzer.
> >
> > We should certainly try to fix those issues, then; people usually
> > assume the re module is safe for use inside a sandbox and probably
> > aren't careful enough to block importing of the _sre module.
> Why is this function public? Is it used by re module? Only _sre module should 
> be allowed to generated "regex bytecode".

The underscore at the beginning of _sre clearly indicates that the module is 
not recommended for direct consumption, IMO. Even the functions that don't 
themselves start with an underscore...

More information about the Python-Dev mailing list