Who should security issues be reported to?

Duncan Booth duncan.booth at invalid.invalid
Fri Jan 28 13:50:10 CET 2005


Paul Rubin wrote:

> Duncan Booth <duncan.booth at invalid.invalid> writes:
>> In other words, I'm intrigued how you managed to come up with
>> something you consider to be a security issue with Python since
>> Python offers no security. Perhaps, without revealing the actual
>> issue in question, you could give an example of some other situation
>> which, if it came up in Python you would consider to be a security
>> issue? 
> 
> Until fairly recently, the pickle module was insufficiently documented
> as being unsafe to use with hostile data, so people used it that way.
> As a result, the Cookie module's default settings allowed remote
> attackers to take over Python web apps.  See SF bug 467384.

SF doesn't seem to know about any such bug any more.
Google finds me 
http://mail.python.org/pipermail/python-bugs-list/2001-October/007669.html
which appears to be SF bug 467384, but it says nothing about security or 
the Cookie module, just that you wanted better documentation.

I think its a bit borderline whether this really was a security bug in 
Python rather than just a problem with the way some people used Python. It 
was a standard library which if used in the wrong way opens a security hole 
on your machine, but there are plenty of ways to open security holes. 
The response seems to have been to document that there is a security 
concern here, but it is still just as possible to use python to expose your 
machine to attack as it was before.

But thanks anyway, it does give me the sort of example I was asking for.



More information about the Python-list mailing list