[Python-Dev] patch commit policies (was [issue4308] repr of httplib.IncompleteRead is stupid)
Tres Seaver
tseaver at palladion.com
Fri Mar 6 04:07:45 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Withers wrote:
> Martin v. Löwis wrote:
>> Martin v. Löwis <martin at v.loewis.de> added the comment:
>>
>>> So all Chris has to do to get this applied to 2.5 is craft an exploit based
>>> on the current behavior, right? ;-)
>> Right :-) Of course, security patches should see a much more careful
>> review than regular bug fixes.
>
> Well, it's funny you say that, since where I bumped into this, the bug
> was effectively DOS'ing a couple of mailservers as a result of
> mailinglogger sending out log entries of uncaught exceptions such as
> this and so emitting 100Mb emails whenever the foreign server chose not
> to deliver the whole chunk requested...
If it is possible for a hostile outsider to trigger the DOS by sending
mail to be processed by an application using the library, and the
application can't avoid the DOS without ditching / forking /
monkeypatching the library, then I would call the bug a "security bug",
period.
As for backward compatibility: any application which is depending on
getting arbitrarily-long lines in its logfile is already insane, and
should be scrapped.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJsJOB+gerLs4ltQ4RAva/AKC2Ta0edNMxMLxXQM6+WsB4AKo10QCdFF58
ghfy8pT6VlrO0z0QoXnjL7o=
=9lCT
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list