[Python-Dev] PyErr_Format security note
Andrew M. Kuchling
akuchlin@mems-exchange.org
Mon, 15 Nov 1999 10:36:47 -0500 (EST)
Guido van Rossum writes:
>Assuming that Linux and Solaris have vsnprintf(), can't we just use
>the configure script to detect it, and issue a warning blaming the
>platform for those platforms that don't have it? That seems much
But people using an already-installed Python binary won't see any such
configure-time warning, and won't find out about the potential
problem. Plus, how do people fix the problem on platforms that don't
have vsnprintf() -- switch to Solaris or Linux? Not much of a
solution. (vsnprintf() isn't ANSI C, though it's a common extension,
so platforms that lack it aren't really deficient.)
Hmm... could we maybe use Python's existing (string % vars) machinery?
<think think> No, that seems to be hard, because it would want
PyObjects, and we can't know what Python types to convert the varargs
to, unless we parse the format string (at which point we may as well
get a vsnprintf() implementation.
--
A.M. Kuchling http://starship.python.net/crew/amk/
A successful tool is one that was used to do something undreamed of by its
author.
-- S.C. Johnson