[Python-Dev] Negative times behaviour in itertools.repeat for Python maintenance releases (2.7, 3.3 and maybe 3.4)

Nick Coghlan ncoghlan at gmail.com
Mon Jan 27 05:02:29 CET 2014

On 27 January 2014 13:51, Alexander Belopolsky
<alexander.belopolsky at gmail.com> wrote:
> On Sun, Jan 26, 2014 at 12:00 PM, Vajrasky Kok <sky.kok at speaklikeaking.com>
> wrote:
>> >>> repeat('a', times=-1)
>> repeat('a')
> As I think about it, this may be more than a bug but a door for a denial of
> service attack.   Imagine an application where times comes from an untrusted
> source.  Someone relying on documented behavior may decide to sanitize the
> value by only checking against an upper bound assuming that negative values
> would just lead to no repetitions.  If an attacker could somehow case times
> to get the value of -1 this may cause an infinite loop, blow up memory etc.
> If you think this is far-fetched - consider a web app that uses repeat() as
> a part of logic to pretty-print user input.  The times value may come from a
> calculation of a difference between the screen width and the length of some
> string - both under user control.
> So maybe the fix should go into security bugs only branches as well.

If we do go this path, then we should backport the full fix (i.e.
accepting None to indicate repeating forever), rather than just a
partial fix.

That is, I'm OK with either not backporting anything at all, or
backporting the full change. The only idea I object to is the one of
removing the infinite iteration capability without providing a
replacement spelling for it.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list