On Fri, Jan 7, 2022 at 2:57 PM Stephen J. Turnbull <[email protected]> wrote: > > Patrick Reader writes: > > > And Python is not like JavaScript (in the browser), where code is > > supposed to be run in a total sandbox. Python is not supposed to be a > > completely memory-safe language. You can always access memory manually > > using `ctypes`, or, ultimately, `/proc/self/mem`. > > True enough, but > > > For this reason, a buffer overflow in CPython is a bug because it can > > cause a crash, not because it can cause a security vulnerability. > > A crash *is* a (potential) security vulnerability. If it can be > reliably triggered by user input, it's a denial of service. >
Python source code is not user input though. So there has to be a way for someone to attack a Python-based service, like attacking a web app by sending HTTP requests to it. ChrisA _______________________________________________ Python-Dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/4327CU63W745JGSQM4RO7M77F7BNXSUI/ Code of Conduct: http://python.org/psf/codeofconduct/
