Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
Stefan Behnel wrote: > Ok, but does that really make it a relevant topic for python-dev? Sorry - I thought I was reading python-general. gmane makes it too easy to post :-). However, I think it's worth pointing that out, in case people think that Popen is a security panacea. J ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
Antoine Pitrou wrote: > Fortunately, Python's subprocess has its `shell` argument default to > False. However, `os.system` invokes the shell implicitly and is > therefore a possible attack vector. Of course anything called by subprocess with shell=False may invoke the shell itself if it runs other processes. Jeremy ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Status of the fix for the hash collision vulnerability
Jeremy Sanders wrote: > Victor Stinner wrote: > >> If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but >> hash(str1)!=hash(str2), strings are not compared (this is a common >> optimization in Python), and the so the attack would not be successful >> (it would be slow, but not as slow as comparing two strings). > > It's a shame the hash function can't take a second salt parameter to > include in the hash. Each dict could have its own salt, generated from a > quick pseudo-random generator. Please ignore... forgot that the hashes are cached for strings! Jeremy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Status of the fix for the hash collision vulnerability
Victor Stinner wrote: > If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but > hash(str1)!=hash(str2), strings are not compared (this is a common > optimization in Python), and the so the attack would not be successful > (it would be slow, but not as slow as comparing two strings). It's a shame the hash function can't take a second salt parameter to include in the hash. Each dict could have its own salt, generated from a quick pseudo-random generator. Jeremy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Ctypes and the stdlib (was Re: LZMA compression support in 3.3)
Dan Stromberg wrote: > SIP's approach of using something close to, but not identical to, the .h's > sounds like it might be pretty productive - especially if the derivative > of the .h's could be automatically derived using a python script, with > minor > tweaks to the inputs on .h upgrades. But sip itself is apparently > C++-only. http://www.riverbankcomputing.co.uk/software/sip/intro "What is SIP? One of the features of Python that makes it so powerful is the ability to take existing libraries, written in C or C++, and make them available as Python extension modules. Such extension modules are often called bindings for the library. SIP is a tool that makes it very easy to create Python bindings for C and C++ libraries. It was originally developed to create PyQt, the Python bindings for the Qt toolkit, but can be used to create bindings for any C or C++ library. " It's not C++ only. The code for SIP is also in C. Jeremy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com