On Fri, Jan 7, 2022 at 6:09 PM Stephen J. Turnbull <stephenjturnb...@gmail.com> wrote: > > Chris Angelico writes: > > > Python source code is not user input though. So there has to be a way > > for someone to attack a Python-based service, like attacking a web app > > by sending HTTP requests to it. > > Not sure what your point is. Of course there has to be a vector. But > as a Mailman developer, I can assure you that there are Python > programs facing the web that accept HTTP requests and SMTP messages, > and process the content, which could be anything an attacker wants it > to be. > > I can't recall any CVEs that we could trace to Python (rather than our > code :-/), but Mailman can be and has been attacked. I can imagine > that if there was an RCE vulnerability in Python or a C module we use, > Mailman would be a top candidate for a workable exploit because of the > amount of processing of user-supplied text we must do. (Don't worry > about me, I sleep well anyway. Python is pretty bullet-proof IMO ;-) > > Did I completely misunderstand you, or the previous posters?
Not completely, just very minorly. I'm distinguishing between attacks that can be triggered remotely, and those which require the attacker to run specific Python code. For example, using ctypes to change the value of an integer object is not an attack vector, because there's no way for an HTTP or SMTP message to cause you to do that. There are *plenty* of ways to abuse ctypes to crash CPython, and we're not afraid of them, because we don't do that kind of thing in public-facing code. :) (If there is a way for an attacker to run arbitrary Python code (maybe by abusing a templating system), then that is its own attack vector, since anything can be done, without any sort of interpreter crash.) My distinction here is that the source code for Mailman itself is not "user input" any more than the source code for CPython is. ChrisA _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/6MYAL4ZEELKO3RHL4UZYY2DSOGM56B6W/ Code of Conduct: http://python.org/psf/codeofconduct/