[Python-Dev] Negative times behaviour in itertools.repeat for Python maintenance releases (2.7, 3.3 and maybe 3.4)
Vajrasky Kok
sky.kok at speaklikeaking.com
Mon Jan 27 13:22:53 CET 2014
On Mon, Jan 27, 2014 at 5:38 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
> I would say not backport at all. The security threat is highly
> theoretical. If someone blindly accepts user values for repeat(), the
> user value can just as well be a very large positive with similar
> effects (e.g. 2**31).
>
I can not comment about whether this is security issue or not. But the
effect of large positive number is not similar to the effect of
unlimited repetitions.
>>> from itertools import repeat
>>> list(repeat('a', 2**31))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
>>> list(repeat('a', 2**99))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: Python int too large to convert to C ssize_t
>>> list(repeat('a', times=-1))
...this freezes my computer...
That is why I prefer we backport the fix (either partial or full). If
not, giving a big warning in the documentation should suffice.
More information about the Python-Dev
mailing list