[Python-Dev] Security implications of pep 383
Terry Reedy
tjreedy at udel.edu
Wed Mar 30 20:53:51 CEST 2011
On 3/30/2011 2:57 AM, Gregory P. Smith wrote:
>>> http://blog.omega-prime.co.uk/?p=107
>> I posted link to this as comment, with my summary of thread.
> I don't see your comment on the blog post. So either the author is
> moderating comments and hasn't seen yours yet (likely)
My comment and Nick's are now both posted. Blogger Max replied
"Nick, thanks for that info. It is certainly nice that there is a work
around, and perhaps this indeed the best that can be done if you still
want the convenience of representing filenames as strings.
Terry: thanks also for the link to the mailing list thread. It is
certainly interesting, and the argument regarding latin1 is a compelling
one — this issue is indeed not specific to PEP383. So the dangerous
operation seems to be comparing strings that were originally created
from byte strings in two different encodings. It’s not clear to me that
it would be sensible for the language to check this (perhaps by throwing
an exception if you try it).
The other 2 comments are also followed by responses.
--
Terry Jan Reedy
More information about the Python-Dev
mailing list