[Python-Dev] Python security team

Giampaolo Rodola' gnewsg at gmail.com
Mon Sep 29 23:23:49 CEST 2008


Yeah, right. Let's continue there.

--- Giampaolo
http://code.google.com/p/pyftpdlib



On 29 Set, 22:44, "Josiah Carlson" <josiah.carl... at gmail.com> wrote:
> On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gne... at gmail.com> wrote:
> > On 27 Set, 20:04, "Josiah Carlson" <josiah.carl... at gmail.com> wrote:
> >> On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
>
> >> <victor.stin... at haypocalc.com> wrote:
> >> > Second, I would like to help to fix all Python security issues. It looks like
> >> > Python community isn't very reactive (proactive?) about security. Eg. a DoS
> >> > was reported in smtpd server (integrated to Python)... 15 months ago. A patch
> >> > is available but it's not applied in Python trunk.
>
> >> The smtpd module is not meant to be used without modification.  It is
> >> the responsibility of the application writer to decide the limitations
> >> of the emails they want to allow sending, and subsequently handle the
> >> case where emails overrun that limit.
>
> > The issue does not concern the emails but the buffer used internally
> > to store the received raw data sent by client.
> > The user who wants to fix the issue (#1745035) should override the
> > collect_incoming_data method which is usually not meant to be
> > modified.
> > Moreover, there are two RFCs which state that extremely long lines
> > must be truncated and an error reply must be returned.
>
> We can and should discuss the specifics of this item in the bug report
> itself.  I should have replied there instead.
>
>  - Josiah
> _______________________________________________
> Python-Dev mailing list
> Python-... at python.orghttp://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:http://mail.python.org/mailman/options/python-dev/python-dev2-garchiv...- Nascondi testo citato
>
> - Mostra testo citato -


More information about the Python-Dev mailing list