SpaceOne added the comment:
Of course both of you have reasonable arguments.
For compatibility with overridden SECTRE attributes it should not raise
ValueError for characters like [ and ]. (too bad that SECTRE is a public
attribute otherwise it could also be used to validate the name
(SECTRE.match('[%s]')). What if somebody changed SECTRE to multiline? Then even
rejecting '\n' would break compatibility.
But: How often does this happen? In open source projects it seems none. A
nullege.com and google search exposed that no project does this.
Terry, I completely agree with your argument "that blindly inserting external
input into a database is bad idea". But in the real world it happens that there
are many applications out which doesn't validate what they pass into
.add_section(). (Do you want me to give you a list of python projects which are
either broken or vulnerable?). In my opinion this is dangerous, as well as not
validating HTTP/Mail/MIME headers for such characters and so on.
What's the goal of python here? Giving programmers nice utilities which have
security considerations in its software design by default or giving everything
up to the programmer which is forced to never trust the stdlib and always have
to read the source code it uses?
As I understand when I read the documentation is that config parser is loosely
based on M$ INI files and as the name says it is for configuration files.
Usually(!) configuration files are human readable files editable with an
editor. Disallowing non-printable characters would have been the best option in
the first release of config parser.
>From my experience it is good to restrict things from the beginning and make
>them overrideable to be more relaxed if this is really needed.
And regarding issue20923: I think it would be a great feature to include the
code change instead of changing the documentation. In my research about
add_section() I found some projects which uses URI's as section name. As you
know the WWW is evolving and actually http://[::1]/ is a valid URI nowadays. If
this would be changed these implementations will not have to overwrite SECTRE
in the future and they also won't run into that bug one day.
I adapted my commit to only disallow \r \n and \x00. [ ] are allowed for
customization of SECTRE.
https://github.com/spaceone/cpython/commit/a0cdb85e4c7c4dd71a87b1f6c4d9d92ece2dde15
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue25723>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
