severity 500461 important thanks On Fri, Oct 10, 2008 at 9:41 PM, Gunnar Wolf <[EMAIL PROTECTED]> wrote: > Before anything else: This bug is marked as "grave", because it > "renders package unusable". Dmitry, I'd downgrade the bug's severity, > as the package is perfectly usable as long as you don't raise > $SAFE. Of course, it _is_ a bug, and it _should_ be fixed, but I don't > see it as grave.
Good argument about severity, downgraded as advised. > Umh... I'm trying to tackle this, but am still at loss - Anyway, I > think sharing this might help towards finding the solution. (...) > Now, buf comes from Tidybuf, which is also C-based > (DL::Importable::Internal::Memory). And... This is where I am stuck: I > can untaint Tidybuf as an object, but not its contents or > results. And, being it a buffer, it _does_ make sense that the data it > generates is considered tainted. Thanks for the help! I agree with your investigation, although I have doubts about whether DL does the right thing here. I think the problem is not that the data in buf is tainted when it shouldn't be, it's rather that a blanket SecurityError is raised by a library on the data that originates from the same library. But that's just a gut feeling, I haven't had time to dig deep into DL implementation to see how it decides whether to allow tainted parameters to DL calls. -- Dmitry Borodaenko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]