[issue1298813] sysmodule.c: realpath() is unsafe

2011-08-21 Thread Mihai Ibanescu 

Mihai Ibanescu  added the comment:

It's a real shame the original patch was not applied before py3k was branched, 
the code is now different.

Antoine, my autoconf knowledge is limited, I don't know how you'd test for 
realpath accepting a NULL argument (and doing the right thing) at compile time.

My involvement with this bug is fairly limited at this point, I would like to 
see it fixed, but having seen no movement on it for almost 6 years now, maybe 
it's not as critical as I thought it was.

--

___
Python tracker 
<http://bugs.python.org/issue1298813>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6478] time.tzset does not reset _strptime's locale time cache

2010-07-12 Thread Mihai Ibanescu 

Mihai Ibanescu  added the comment:

Proposed patch attached.

--
keywords: +patch
Added file: http://bugs.python.org/file17964/_strptime.py.patch

___
Python tracker 
<http://bugs.python.org/issue6478>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6478] time.tzset does not reset _strptime's locale time cache

2009-07-13 Thread Mihai Ibanescu 

New submission from Mihai Ibanescu :

If one changes from one timezone to another within the same python
process, and if one tries to parse a time string that includes the
timezone, the library malfunctions.

See attached script for a reproducer.

The problem is that, even though time.tzset() is called, the LocaleTime
persisted in the TimeRE global is not reset. In my example, the EDT
timezone name, compiled from the previous TZ variable, is not valid
anymore in the 'Pacific/Fiji' timezone.

To witness the behavior, run the attached script with no arguments. It
will parse the time in the America/New_York timezone just fine.

Then run it with an argument (like python ttime.py 1). It will first
prime the _strptime cache in the Pacific/Fiji timezone, then attempt to
parse the same time string in the America/New_York timezone.

Finally, you can change the "if 0" to "if 1" for working around the problem.

This has been verified in 2.4.4 and 2.6.1 (did not have a chance to
verify it against python 2.6.2 yet).

--
components: Library (Lib)
files: ttime.py
messages: 90497
nosy: mibanescu
severity: normal
status: open
title: time.tzset does not reset _strptime's locale time cache
type: behavior
versions: Python 2.4, Python 2.6
Added file: http://bugs.python.org/file14496/ttime.py

___
Python tracker 
<http://bugs.python.org/issue6478>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue1298813] sysmodule.c: realpath() is unsafe

2009-05-08 Thread Mihai Ibanescu 

Mihai Ibanescu  added the comment:

Disclaimer: this bug is more than 3 years old, I don't remember all the
details.

Victor, solely reading the patch I see:

+#ifdef HAVE_CANONICALIZE_FILE_NAME
+   free(argv0);
+#endif /* HAVE_CANONICALIZE_FILE_NAME */

so argv0 (the string where the results of canonicalize_file_name() is
stored) should be freed.

Is there another branch that does not hit this code, that would create
the memory leak?

--
nosy: +mibanescu

___
Python tracker 
<http://bugs.python.org/issue1298813>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue4675] urllib's splitpasswd does not accept newline chars in passwords

2008-12-16 Thread Mihai Ibanescu 

Changes by Mihai Ibanescu :


--
keywords: +patch
Added file: http://bugs.python.org/file12371/splitpasswd.patch

___
Python tracker 
<http://bugs.python.org/issue4675>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue4675] urllib's splitpasswd does not accept newline chars in passwords

2008-12-16 Thread Mihai Ibanescu 

New submission from Mihai Ibanescu :

According to http://www.ietf.org/rfc/rfc2617.txt section 2, in basic
HTTP authentication the password can be any character (including newline).

urllib does the following:

_passwdprog = re.compile('^([^:]*):(.*)$')

That should be changed to:

_passwdprog = re.compile('^([^:]*):(.*)$', re.S)

otherwise newlines will not be caught by the second part of the regex,
and bad things are produced.

For a password with regular chars in it:

> python -c "import urllib; print urllib.splitpasswd('user:ab')"
('user', 'ab')

For a password with a newline:
> python -c "import urllib; print urllib.splitpasswd('user:a\nb')"
('user:a\nb', None)

The expected result should have been ('user', 'a\nb')

--
components: Library (Lib)
messages: 77919
nosy: mibanescu
severity: normal
status: open
title: urllib's splitpasswd does not accept newline chars in passwords
type: behavior
versions: Python 2.6, Python 3.0

___
Python tracker 
<http://bugs.python.org/issue4675>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com