Why exception from os.path.exists()?
Ed Kellett
e+python-list at kellett.im
Sat Jun 9 15:53:40 EDT 2018
On 2018-06-08 03:42, Chris Angelico wrote:
> Apart from the one odd bug with SimpleHTTPServer not properly sending
> back 500s, I very much doubt that the original concern - namely that
> os.path.exists() and os.stat() raise ValueError if therels a %00 in
> the URL - can be abused effectively.
Dismissing HTTP 500s as "not a vulnerability" sounds reasonable enough
to me. But you're assuming that all other expressions of this bug in
applications will be at least as benign. I'm not sure that that's warranted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20180609/bd56b51c/attachment.sig>
More information about the Python-list
mailing list