[issue31530] [2.7] Python 2.7 readahead feature of file objects is not thread safe
STINNER Victor
report at bugs.python.org
Wed Sep 20 09:36:42 EDT 2017
STINNER Victor added the comment:
The bug was first reported to the private Python security mailing list. The PSRT decided that it's a regular bug and doesn't need to be categorized as a vulnerability, since the attacker has to be able to run arbitrary code in practice.
The PSRT considers that no Python 2.7 application currently rely on reading from the same file object "at the same time" from different thread, since it currently crashs.
So an attacker would have to run his/her own code... but if an attacker can already run arbitrary code, why relying on an unstable race condition and inject machine code (so not portable), whereas Python standard library is full of nice features to write your portable exploit?
For more information, see the Python security model:
https://python-security.readthedocs.io/security.html#security-model
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue31530>
_______________________________________
More information about the Python-bugs-list
mailing list