[Python-checkins] r73156 - peps/trunk/pep-0383.txt
martin.v.loewis
python-checkins at python.org
Tue Jun 2 23:00:50 CEST 2009
Author: martin.v.loewis
Date: Tue Jun 2 23:00:50 2009
New Revision: 73156
Log:
Add discussion of security issues.
Modified:
peps/trunk/pep-0383.txt
Modified: peps/trunk/pep-0383.txt
==============================================================================
--- peps/trunk/pep-0383.txt (original)
+++ peps/trunk/pep-0383.txt Tue Jun 2 23:00:50 2009
@@ -104,6 +104,17 @@
Data obtained from other sources may conflict with data produced
by this PEP. Dealing with such conflicts is out of scope of the PEP.
+This PEP allows to "smuggle" bytes in character strings. This would
+be a security risk if the bytes are security-critical when interpreted
+as characters on a target system, such as path name separators. For
+this reason, the PEP rejects smuggling bytes below 128. If the target
+system uses EBCDIC, such smuggled bytes may still a security risk,
+allowing to smuggle, e.g. square brackets or the backslash. Python
+currently does not support EBCDIC, so this should not be a problem in
+practice. Anybody porting Python to an EBCDIC system might want to
+adjust the error handlers, or come up with other approaches to address
+the security risks.
+
Encodings that are not compatible with ASCII are not supported by
this specification; bytes in the ASCII range that fail to decode
will cause an exception. It is widely agreed that such encodings
More information about the Python-checkins
mailing list