[Python-Dev] Python security team
Josiah Carlson
josiah.carlson at gmail.com
Mon Sep 29 22:44:16 CEST 2008
On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gnewsg at gmail.com> wrote:
> On 27 Set, 20:04, "Josiah Carlson" <josiah.carl... at gmail.com> wrote:
>> On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
>>
>> <victor.stin... at haypocalc.com> wrote:
>> > Second, I would like to help to fix all Python security issues. It looks like
>> > Python community isn't very reactive (proactive?) about security. Eg. a DoS
>> > was reported in smtpd server (integrated to Python)... 15 months ago. A patch
>> > is available but it's not applied in Python trunk.
>>
>> The smtpd module is not meant to be used without modification. It is
>> the responsibility of the application writer to decide the limitations
>> of the emails they want to allow sending, and subsequently handle the
>> case where emails overrun that limit.
>
> The issue does not concern the emails but the buffer used internally
> to store the received raw data sent by client.
> The user who wants to fix the issue (#1745035) should override the
> collect_incoming_data method which is usually not meant to be
> modified.
> Moreover, there are two RFCs which state that extremely long lines
> must be truncated and an error reply must be returned.
We can and should discuss the specifics of this item in the bug report
itself. I should have replied there instead.
- Josiah
More information about the Python-Dev
mailing list