Who should security issues be reported to?

Paul Rubin http
Fri Jan 28 14:01:39 CET 2005


Duncan Booth <duncan.booth at invalid.invalid> writes:
> SF doesn't seem to know about any such bug any more.
> Google finds me 
> http://mail.python.org/pipermail/python-bugs-list/2001-October/007669.html
> which appears to be SF bug 467384, but it says nothing about security or 
> the Cookie module, just that you wanted better documentation.

The Cookie issue is discussed some in that bug thread.  But more
relevant is bug 471893.  Sorry.

> I think its a bit borderline whether this really was a security bug in 
> Python rather than just a problem with the way some people used Python. 

If using a module the way it's documented results in a security hole,
that's definitely a security bug.

If using the module in an obvious and natural way that looks correct
results in a security hole, I'd say it's at least an issue needing
attention, even if some sufficiently hairsplitting reading of the
documentation says that usage is incorrect.  Principle of least
astonishment.

I highly recommend reading the book "Security Engineering" by Ross
Anderson if you're trying to implement anything that might ever be
exposed to malicious parties.  That includes any application that
communicates over the internet (such as web servers or clients), and
it includes any application that processes data downloaded from the
internet (such as jpeg viewers).  Each of those classes of programs
has had examples of where hostile data could take over the
application.



More information about the Python-list mailing list