[issue3487] sre "bytecode" verifier
Guido van Rossum
report at bugs.python.org
Sat Aug 2 01:41:14 CEST 2008
Guido van Rossum <guido at python.org> added the comment:
> 3. Google considered this enough of a potential problem to pre-emptively
> fix it. Now that that problem has been publicly exposed, other careful
> users will expect it to be fixed and will find Python more attractive
> when it has been.
>
> If this is included in the next betas, the announcement of such might
> say so and encourage re users to re-run any re-based test code.
I should add that the protection this offers is against attempts to
cause crashes by passing bad RE "bytecode" into the _sre.compile().
It is not possibly to generate such bad RE "bytecode" by writing an evil
regular expression; you must have access to the _sre module in order to
be able to exploit this vulnerability. In other words, the
vulnerability is equivalent to having ctypes accessible.
Thus, only people who are worried about malicious use of ctypes should
be worried about this vulnerability. Google's App Engine is one of
those (rare) places, since it lets anybody run their Python code in a
Google datacenter. If you offer the ability to run arbitrary Python
code to strangers, you should worry about this. Otherwise, there is no
reason to worry.
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue3487>
_______________________________________
More information about the Python-bugs-list
mailing list