[issue25723] ConfigParser should never write broken configurations
Terry J. Reedy
report at bugs.python.org
Wed Nov 25 23:56:36 EST 2015
Terry J. Reedy added the comment:
We all know that blindly inserting external data into a database can be a bad idea. But raising ValueError if the data contains \n barely scratches the surface of a real defense. The external data should be checked before passing it to .add_section or as part of a derived method in a subclass. I already suggested the possibility of allowing only a restricted set of letter characters. Such a check comes after defending against the possibility of someone submitting 'a'*1000000 as, in this case, a section name.
configparser is permissive by design, not by accident. The un-abbreviated verbose re for ConfigParser.SECTCRE say so.
(?P<header>[^]]+) # very permissive!
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25723>
_______________________________________
More information about the Python-bugs-list
mailing list