[Python-Dev] Fuzzing bugs: most bugs are closed
Antoine Pitrou
solipsis at pitrou.net
Mon Jul 21 17:53:18 CEST 2008
Victor Stinner <victor.stinner <at> haypocalc.com> writes:
>
> Le Monday 21 July 2008 15:33:19 A.M. Kuchling, vous avez écrit :
> > On Sun, Jul 20, 2008 at 10:45:39PM +0200, Victor Stinner wrote:
> > > Hum... how can I say it? It's trivial to crash _sre So I blacklisted
> > > _sre.compile() in my fuzzer.
> >
> > We should certainly try to fix those issues, then; people usually
> > assume the re module is safe for use inside a sandbox and probably
> > aren't careful enough to block importing of the _sre module.
>
> Why is this function public? Is it used by re module? Only _sre module should
> be allowed to generated "regex bytecode".
The underscore at the beginning of _sre clearly indicates that the module is
not recommended for direct consumption, IMO. Even the functions that don't
themselves start with an underscore...
More information about the Python-Dev
mailing list