[Python-Dev] Replace useless %.100s by %s in PyErr_Format()
Victor Stinner
victor.stinner at haypocalc.com
Fri Mar 25 00:21:25 CET 2011
Le jeudi 24 mars 2011 à 13:22 +0100, M.-A. Lemburg a écrit :
> BTW: Why do you think that %.100s is not supported in
> PyErr_Format() in Python 2.x ? PyString_FromFormatV()
> does support this. The change to use Unicode error strings
> introduced the problem, since PyUnicode_FromFormatV() for
> some reason ignores the precision (which is shouldn't).
Oh... You are right, it is a regression in Python 3. We started to write
unit tests for PyBytes_FromFormat() and PyUnicode_FromFormat(), I hope
that they will improve the situation.
> That said, it's a good idea to add the #7330 fix
> to at least Python 2.7 as well, since ignoring the precision
> is definitely a bug. It may even be security relevant, since
> it could be used for DOS attacks on servers (e.g. causing them
> to write huge strings to log files instead of just a few
> hundreds bytes per message), so may even need to go into Python 2.6.
Python 2 is not affected because PyErr_Format() uses
PyString_FromFormatV() which supports precision for %s format (e.g.
%.100s truncate the string to 100 bytes).
Do you think that Python 3.1-3.3 should be fixed?
Let's begin by closing #10833 as invalid.
Victor
More information about the Python-Dev
mailing list