[Python-Dev] PyErr_Format security note
Guido van Rossum
guido@CNRI.Reston.VA.US
Mon, 15 Nov 1999 14:32:00 -0500
> All but one (checked them all):
Thanks for checking.
> In ceval.c, function call_builtin, there is a possible security hole.
> If an extension module happens to create a very long type name
> (maybe just via a bug), we will crash.
>
> }
> PyErr_Format(PyExc_TypeError, "call of non-function (type %s)",
> func->ob_type->tp_name);
> return NULL;
> }
I would think that an extension module with a name of nearly 500
characters would draw a lot of attention as being ridiculous. If
there was a bug through which you could make tp_name point to such a
long string, you could probably exploit that bug without having to use
this particular PyErr_Format() statement.
However, I agree it's better to be safe than sorry, so I've checked in
a fix making it %.400s.
--Guido van Rossum (home page: http://www.python.org/~guido/)