[issue8855] Shelve documentation lacks security warning

2010-08-25 Thread Longpoke 

Longpoke  added the comment:

Okay I've attached one for the py3k branch. What about 2.7? Same patch applies 
there.

--
keywords: +patch
Added file: http://bugs.python.org/file18645/shelve.rst.patch

___
Python tracker 
<http://bugs.python.org/issue8855>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8573] Buggy _strerror in asyncore

2010-04-29 Thread Longpoke 

New submission from Longpoke :

This function in asyncore is buggy:

def _strerror(err):
res = os.strerror(err)
if res == 'Unknown error':
res = errorcode[err]
return res

- os.strerror may throw ValueError depending on the os, or return a string 
saying something like: "Unknown error 1234".
- os.strerror never returns "Unknown error" for me, so "Unknown error " is 
always returned for me (Linux 2.6.32)
- if os.strerrror failed, it's likely that it wont be in errno.errcode either

Maybe it should be written like this:
def _strerror(err):
try:
return strerror(err)
except ValueError:
return "Unknown error {0}".format(err)

--
components: Library (Lib)
messages: 104583
nosy: q94IjzUfnNoyv4c75mMw
priority: normal
severity: normal
status: open
title: Buggy _strerror in asyncore
type: crash
versions: Python 2.6

___
Python tracker 
<http://bugs.python.org/issue8573>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8573] Buggy _strerror in asyncore

2010-05-18 Thread Longpoke 

Longpoke  added the comment:

Yes, it should definately be os.sterror. Dunno how I ended up omitting that, 
sorry.

--

___
Python tracker 
<http://bugs.python.org/issue8573>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8855] Shelve documentation lacks security warning

2010-05-29 Thread Longpoke 

New submission from Longpoke :

Loading a shelve can cause arbitrary code to be executed [1] and other black 
magic (because it's backed by Pickle). Shouldn't there be a big fat warning at 
the top of the shelve documentation page?

Unless you're like me and assume anything to do with serialization in any 
language is insecure until proved otherwise, you aren't going to intuitively 
think there is anything wrong with "unshelving" untrusted data (unless you 
already know that Pickle is insecure).

1. http://nadiana.com/python-pickle-insecure#comment-261

--
assignee: d...@python
components: Documentation
messages: 106746
nosy: d...@python, q94IjzUfnNoyv4c75mMw
priority: normal
severity: normal
status: open
title: Shelve documentation lacks security warning

___
Python tracker 
<http://bugs.python.org/issue8855>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com