[Python-Dev] PyErr_Format security note
Christian Tismer
tismer@appliedbiometrics.com
Mon, 15 Nov 1999 18:02:20 +0100
Guido van Rossum wrote:
>
> > I noticed this in PyErr_Format(exception, format, va_alist):
> >
> > char buffer[500]; /* Caller is responsible for limiting the format */
> > ...
> > vsprintf(buffer, format, vargs);
> >
> > Making the caller responsible for this is error-prone.
>
> Agreed. The limit of 500 chars, while technically undocumented, is
> part of the specs for PyErr_Format (which is currently wholly
> undocumented). The current callers all have explicit precautions, but
> of course I agree that this is a potential danger.
All but one (checked them all):
In ceval.c, function call_builtin, there is a possible security hole.
If an extension module happens to create a very long type name
(maybe just via a bug), we will crash.
}
PyErr_Format(PyExc_TypeError, "call of non-function (type %s)",
func->ob_type->tp_name);
return NULL;
}
ciao - chris
--
Christian Tismer :^) <mailto:tismer@appliedbiometrics.com>
Applied Biometrics GmbH : Have a break! Take a ride on Python's
Kaiserin-Augusta-Allee 101 : *Starship* http://starship.python.net
10553 Berlin : PGP key -> http://wwwkeys.pgp.net
PGP Fingerprint E182 71C7 1A9D 66E9 9D15 D3CC D4D7 93E2 1FAE F6DF
we're tired of banana software - shipped green, ripens at home