[Python-Dev] Security implications of pep 383
Gregory P. Smith
greg at krypto.org
Wed Mar 30 08:57:27 CEST 2011
On Tue, Mar 29, 2011 at 4:07 PM, Terry Reedy <tjreedy at udel.edu> wrote:
> On 3/29/2011 2:23 PM, Michael Foord wrote:
>
> Not sure how real the security risk is here:
>>
>> http://blog.omega-prime.co.uk/?p=107
>>
>> Basically he is saying that if you store a list of blacklisted files
>> with names encoded in big-5 (or some other non-utf8 compatible encoding)
>> if those names are passed at the command line, or otherwise read in and
>> decoded from an assumed-utf8 source with surrogate escaping, the
>> surrogate escape decoded names will not match the properly decoded
>> blacklisted names.
>>
>
> I posted link to this as comment, with my summary of thread.
>
> --
> Terry Jan Reedy
I don't see your comment on the blog post. So either the author is
moderating comments and hasn't seen yours yet (likely) or they don't want
disagreement in their comments. ;)
Regardless, is isn't a bug with Python or PEP 383. If someone is dealing
with security and does not know what formats the various inputs to their
program that are used to make the security check can come in as they
shouldn't be writing security oriented code at all... (But that's never
stopped anyone).
-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20110329/d360063a/attachment.html>
More information about the Python-Dev
mailing list