Why exception from os.path.exists()?
Chris Angelico
rosuav at gmail.com
Sun Jun 10 00:55:56 EDT 2018
On Sun, Jun 10, 2018 at 5:53 AM, Ed Kellett <e+python-list at kellett.im> wrote:
> On 2018-06-08 03:42, Chris Angelico wrote:
>> Apart from the one odd bug with SimpleHTTPServer not properly sending
>> back 500s, I very much doubt that the original concern - namely that
>> os.path.exists() and os.stat() raise ValueError if therels a %00 in
>> the URL - can be abused effectively.
> Dismissing HTTP 500s as "not a vulnerability" sounds reasonable enough
> to me. But you're assuming that all other expressions of this bug in
> applications will be at least as benign. I'm not sure that that's warranted.
>
It is an exception. There are a small number of possible results:
1) It happens in code where ValueError could otherwise happen, and the
code gets confused. That's a bug, but bugs do happen. No way to
predict the actual results; it's probably going to make something else
go into a default mode or something. Highly unlikely for it to
trigger a vulnerability, but if it does, the problem is that you have
code that's catching an exception that it shouldn't be.
2) It happens in code where ValueError is not expected, and is handled
as an unexpected exception. ALL end-user-facing code should have a
means of coping with exceptions (web servers should toss back a 500,
etc). If it doesn't, then *that* is the vulnerability, not the
ValueError itself; there are many MANY ways for Python code to
unexpectedly raise exceptions.
Either way, this exception isn't itself a problem; but it might reveal
a different problem. For instance, an end-user-facing app that has no
protective exception handler might be induced to terminate in this
way, which is a DOS; but the problem isn't os.path.exists raising
ValueError, the problem is an unexpected exception causing
termination.
It's important to pin down the true cause of the problem, and not
blame something for doing the proper Pythonic thing. Python is not Go;
exceptions exist to be used. The advantage of Go is that you never get
unexpected exceptions... instead, you just get unexpected incorrect
behaviour if you fail to check the return value of a function and just
assume that it did its job. Exceptions don't remove all responsibility
from you, but they DO make it a lot easier to handle them coherently.
ChrisA
More information about the Python-list
mailing list