[Python-Dev] Fuzzing bugs: most bugs are closed

Guido van Rossum guido at python.org
Wed Jul 30 20:17:51 CEST 2008

On Mon, Jul 21, 2008 at 10:41 AM, A.M. Kuchling <amk at amk.ca> wrote:
> On Mon, Jul 21, 2008 at 03:53:18PM +0000, Antoine Pitrou wrote:
>> The underscore at the beginning of _sre clearly indicates that the module is
>> not recommended for direct consumption, IMO. Even the functions that don't
>> themselves start with an underscore...
> Sure, but if someone is trying to break in or DoS your application
> server, they don't care if the module starts with an underscore or
> not.
> To answer Victor's original question: the parser & compiler that turn
> a regex into bytecode is written in Python.  I can't think of a way to
> prevent other Python modules from importing _sre or accessing the
> compile() function; if nothing else, code could always do 'import re ;
> re.sre_compile._sre.compile(...)'.

I've written a re-code verifier for the Google App Engine. I have
permission to open source this, hopefully I will get to this before
2.6 beta 3.

--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list