[issue13703] Hash collision security issue
Antoine Pitrou pit...@free.fr added the comment: I like this, esp. if for old releases the collision counting is on by default and the hash seeding is off by default, while in 3.3 both should be on by default. Different env vars or flags should be used to enable/disable them. I would hope 3.3 only gets randomized hashing. Collision counting is a hack to make bugfix releases 99.999%-compatible instead of 99.9% ;) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Guido van Rossum gu...@python.org added the comment: On Wed, Jan 18, 2012 at 1:05 PM, Antoine Pitrou rep...@bugs.python.orgwrote: Antoine Pitrou pit...@free.fr added the comment: I like this, esp. if for old releases the collision counting is on by default and the hash seeding is off by default, while in 3.3 both should be on by default. Different env vars or flags should be used to enable/disable them. I would hope 3.3 only gets randomized hashing. Collision counting is a hack to make bugfix releases 99.999%-compatible instead of 99.9% ;) Really? I'd expect the difference to be more than 2 nines. The randomized hashing has two problems: (a) change in dict order; (b) hash varies between processes. I cannot imagine counterexamples to the collision counting that weren't constructed specifically as counterexamples. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Antoine Pitrou pit...@free.fr added the comment: Really? I'd expect the difference to be more than 2 nines. The randomized hashing has two problems: (a) change in dict order; (b) hash varies between processes. Personally I don't think the change in dict order is a problem (hashing already changes between 32-bit and 64-bit builds, and we sometimes change the calculation too: it might change *more* often with random hashes, while it went unnoticed in some cases before). So only (b) is a problem and I don't think it affects more than 0.01% of applications/users :) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13781] gzip module does the wrong thing with an os.fdopen()'ed fileobj
Gregory P. Smith g...@krypto.org added the comment: Looks like you've got commit privs (yay) so i'm assigning this to you to take care of that way for 2.7 as well. I'd add a comment to the fdopen C code where the fdopen constant lives as well as to the gzip.py module around the special case for this mentioning that they should be kept in sync. (not that either is _ever_ likely to be changed in 2.7) -- assignee: gregory.p.smith - nadeem.vawda versions: -Python 3.2, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13781 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10278] add time.wallclock() method
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 83e8c3a6a81c by Antoine Pitrou in branch 'default': Be more lenient in test_wallclock (issue #10278). http://hg.python.org/cpython/rev/83e8c3a6a81c -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue10278 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13722] distributions can disable the encodings package
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 46b245f03f54 by Antoine Pitrou in branch '3.2': Issue #13722: Avoid silencing ImportErrors when initializing the codecs registry. http://hg.python.org/cpython/rev/46b245f03f54 New changeset f55529aa023d by Antoine Pitrou in branch 'default': Issue #13722: Avoid silencing ImportErrors when initializing the codecs registry. http://hg.python.org/cpython/rev/f55529aa023d -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13722 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13722] distributions can disable the encodings package
Changes by Antoine Pitrou pit...@free.fr: -- resolution: - fixed stage: needs patch - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13722 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10278] add time.wallclock() method
Changes by Antoine Pitrou pit...@free.fr: -- status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue10278 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format an incorrect alignment option doesn't make fill char and onself absent
py.user port...@yandex.ru added the comment: Eric V. Smith wrote: I'm not sure what you're saying here. Is it that 'xx' should be ignored? yes, the description says they are assumed absent -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13781] gzip module does the wrong thing with an os.fdopen()'ed fileobj
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset a08e9e84f33f by Nadeem Vawda in branch '2.7': Issue #13781: Fix GzipFile to work with os.fdopen()'d file objects. http://hg.python.org/cpython/rev/a08e9e84f33f -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13781 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format an incorrect alignment option doesn't make fill char and onself absent
Eric V. Smith e...@trueblade.com added the comment: The only error is the text of the ValueError. I'll look into fixing that. These characters will not be ignored. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
STINNER Victor victor.stin...@haypocalc.com added the comment: Don't you think that the number of corrections you have to apply in order to get the tests working again shows how much impact such a change would have in real-world applications ? Let see the diffstat: Doc/using/cmdline.rst |7 Include/pythonrun.h |2 Include/unicodeobject.h |6 Lib/json/__init__.py|4 Lib/os.py | 17 - Lib/packaging/create.py |7 Lib/packaging/tests/test_create.py | 18 - Lib/test/mapping_tests.py |2 Lib/test/regrtest.py|5 Lib/test/test_builtin.py|1 Lib/test/test_dis.py| 36 ++- Lib/test/test_gdb.py| 11 - Lib/test/test_inspect.py|1 Lib/test/test_os.py | 35 ++- Lib/test/test_set.py| 25 ++ Lib/test/test_unicode.py| 39 Lib/test/test_urllib.py | 16 - Lib/test/test_urlparse.py |6 Lib/tkinter/test/test_ttk/test_functions.py |2 Makefile.pre.in |1 Modules/posixmodule.c | 126 ++--- Objects/unicodeobject.c | 20 +- PCbuild/pythoncore.vcproj |4 Python/pythonrun.c |3 Python/random.c | 268 25 files changed, 488 insertions(+), 174 deletions(-) Except Lib/packaging/create.py, all other changes are related to the introduction of the randomized hash function, or fix tests... Even Lib/packaging/create.py change is related to fixing tests. The test can be changed differently, but I like the idea of having always the same output in packaging (e.g. it is more readable for the user if files are sorted). I expected to have to do something on multiprocessing, but nope, it doesn't care of the hash value. So I expect something similar in applications: no change in the applications, but a lot of hacks/tricks in tests. Perhaps we should start to think about a compromise: make both the collision counting and the hash seeding optional and let the user decide which option is best. I don't think that we need two fixes for a single vulnerability (in the same Python version), one is enough. If we decide to count collisions, the randomized hash idea can be simply dropped. But we may use a different fix for Python 3.3 and for stable versions (e.g. count collisions for stable versions and use randomized hash for 3.3). BTW: The patch still includes the unnecessary _Py_unicode_hash_secret.suffix which needlessly complicates the code and doesn't any additional protection against hash value collisions How does it complicate the code? It adds an extra XOR to hash(str) and 4 or 8 bytes in memory, that's all. It is more difficult to compute the secret from hash(str) output if there is a prefix *and* a suffix. If there is only a prefix, knowning a single hash(str) value is just enough to retrieve directly the secret. . I don't think it affects more than 0.01% of applications/users :) It would help to try a patched Python on a real world application like Django to realize how much code is broken (or not) by a randomized hash function. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10109] itertools.product with infinite iterator cause MemoryError.
Terry J. Reedy tjre...@udel.edu added the comment: Proposing an expansion of the definition of product() is a *completely* different issue from the validity of count() as an input. I answered correctly given the current definition of product(): it is not valid input. It is also not valid input to your proposed revision: tuple(itertools.cycle(enumerate(it)) for it in itertools.count()) ... TypeError: 'int' object is not iterable -- just as I said. If you want to propose an enhancement, either open an new, enhancement issue or post to python-ideas. Since new features can only go in 3.3+, post 3.x code, not 2.x. And please do not quibble about the difference between 'infinite' and 'too large to fit in memory'. -- stage: - committed/rejected versions: +Python 3.3 -Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue10109 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format an incorrect alignment option doesn't make fill char and onself absent
py.user port...@yandex.ru added the comment: If the second character of format_spec is not a valid alignment option, then it is assumed that both the fill character and the alignment option are absent. what does it mean ? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format an incorrect alignment option doesn't make fill char and onself absent
Stefan Krah stefan-use...@bytereef.org added the comment: py.user: The format string must always match the grammar, which is just above the paragraph that you quoted: [[fill]align][sign][#][0][width][,][.precision][type] Thus, if fill and align are absent, it does not mean that you can add arbitrary characters like xx. I think the docs are crystal clear; I also prefer Eric's suggestion for a new error message. -- nosy: +skrah ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Eric V. Smith e...@trueblade.com added the comment: Changing to 3.3: I don't think applying this to 3.2 would be appropriate. -- assignee: - eric.smith keywords: +easy priority: normal - low stage: - needs patch title: In str.format an incorrect alignment option doesn't make fill char and onself absent - In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading. versions: +Python 3.3 -Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10109] itertools.product with infinite iterator cause MemoryError.
Sumudu Fernando sumu...@gmail.com added the comment: tuple(itertools.cycle(enumerate(it)) for it in itertools.count()) ... TypeError: 'int' object is not iterable That is not what happens in the function, though! That would correspond to doing product(*itertools.count(2010)), but if you try that you won't even get past argument expansion (obviously). Doing product(*xrange(10)) gives the error you're talking about, for example. product(itertools.count(2010)) works perfectly well with the version I posted, though it is a bit silly to do it that way since it produces the same values as count itself (which is what cartesian product should do), while saving extra bookkeeping along the way. Anyway, I'm pretty new to python and I don't think this is quite relevant enough to warrant opening a new ticket. I'm happy to leave it here for the education of the next neophyte who stumbles across this idiosyncracy of itertools.product. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue10109 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
py.user port...@yandex.ru added the comment: Stefan Krah wrote: Thus, if fill and align are absent, it does not mean that you can add arbitrary characters like xx. the descriptions says in other words: if you have used an incorrect alignment option, then the interpreter behaves like you didn't use fill and alignment -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13781] gzip module does the wrong thing with an os.fdopen()'ed fileobj
Nadeem Vawda nadeem.va...@gmail.com added the comment: Done. -- resolution: - fixed stage: - committed/rejected status: open - closed type: - behavior ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13781 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Terry J. Reedy tjre...@udel.edu added the comment: A possible advantage of having the 3.3 fix available in earlier versions is that people will be able to turn it on and have that be the *only* change -- just as with __future__ imports done one at a time. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Gregory P. Smith g...@krypto.org added the comment: On Wed, Jan 18, 2012 at 1:10 PM, Guido van Rossum rep...@bugs.python.org wrote: On Wed, Jan 18, 2012 at 1:05 PM, Antoine Pitrou rep...@bugs.python.orgwrote: I would hope 3.3 only gets randomized hashing. Collision counting is a hack to make bugfix releases 99.999%-compatible instead of 99.9% ;) Really? I'd expect the difference to be more than 2 nines. The randomized hashing has two problems: (a) change in dict order; (b) hash varies between processes. I cannot imagine counterexamples to the collision counting that weren't constructed specifically as counterexamples. For the purposes of 3.3 I'd prefer to just have randomized hashing and not the collision counting in order to keep things from getting too complicated. But I will not object if we opt to do both. As much as the counting idea rubs me wrong, even if it were on by default I agree that most non-contrived things will never encounter it and it is easy to document how to work around it by disabling it should anyone actually be impeded by it. The concern I have with that approach from a web service point of view is that it too can be gamed in the more rare server situation of someone managing to fill a persistent data structure up with enough colliding values to be _close_ to the limit such that the application then dies while trying to process all future requests that _hit_ the limit (a persisting 500 error DOS rather than an exception raised only in one offending request that deserved that 500 error anyways). Not nearly as likely a scenario but it is one I'd keep an eye open for with an attacker hat on. MvL's suggestion of using AVL trees for hash bucket slots instead of our linear slot finding algorithm is a better way to fix the ultimate problem by never devolving into linear behavior at all. It is naturally more complicated but could likely even be done while maintaining ABI compatibility. I haven't pondered designs and performance costs for that. Possibly a memory hit and one or two extra indirect lookups in the normal case and some additional complexity in the iteration case. -gps -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Antoine Pitrou pit...@free.fr added the comment: MvL's suggestion of using AVL trees for hash bucket slots instead of our linear slot finding algorithm is a better way to fix the ultimate problem by never devolving into linear behavior at all. A dict can contain non-orderable keys, I don't know how an AVL tree can fit into that. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Gregory P. Smith g...@krypto.org added the comment: A dict can contain non-orderable keys, I don't know how an AVL tree can fit into that. good point! -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Terry J. Reedy tjre...@udel.edu added the comment: As much as the counting idea rubs me wrong, FWIW, the original 2003 paper reported that the url-caching system that they tested used collision-counting to evade attacks. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Stefan Krah stefan-use...@bytereef.org added the comment: The text speaks about the regular case of a second character that is not a valid alignment character, e.g.: format(3.222, .2f) Clearly the '2' fulfills this criterion, so the parser knows that the leading '.' is *not* a fill character. This is all that the text says. But even in your irregular case the text is still correct: After it has been established that [[fill]align] is not present you have to match the *whole string* with the rest of the grammar: [sign][#][0][width][,][.precision][type] There is no match for xx10d, hence the error. BTW, I think this is out of scope for the tracker now. If you have further questions, you could ask on: http://mail.python.org/mailman/listinfo/python-list -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Eric V. Smith e...@trueblade.com added the comment: As I look at it a little closer, I think I'm going to change the message to: Invalid format type specified. The code has determined that instead of a type that's a single character long, it's received xx10d. That's because xx doesn't match any of [[fill]align][sign][#][0][width][,][.precision], so it must be the [type] field. I'm open to a better message, though. Due to the variable width chars in the format_spec string, include the xx10d along with the error text is a little complicated. But maybe including it would be an improvement: Invalid format type 'xx10d' found, expected a single character. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Guido van Rossum gu...@python.org added the comment: On Wed, Jan 18, 2012 at 3:37 PM, Terry J. Reedy rep...@bugs.python.orgwrote: Terry J. Reedy tjre...@udel.edu added the comment: As much as the counting idea rubs me wrong, FWIW, the original 2003 paper reported that the url-caching system that they tested used collision-counting to evade attacks. You mean as a fix or that they successfully attacked a collision-counting system? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Antoine Pitrou pit...@free.fr added the comment: As much as the counting idea rubs me wrong, FWIW, the original 2003 paper reported that the url-caching system that they tested used collision-counting to evade attacks. I think that was DJB's DNS server/cache actually. But deciding to limit collisions in a specific application is not the same as limiting them in the general case. Python dicts have a lot of use cases that are not limited to storing URL parameters, domain names or instance attributes: there is a greater risk of meeting pathological cases with legitimate keys. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
py.user port...@yandex.ru added the comment: Stefan Krah wrote: After it has been established that [[fill]align] is not present you have to match the *whole string* with the rest of the grammar I think, there should be a text in the documentation: if the alignment optiont is invalid, it will be raised a ValueError exception thanx for the mailing list -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Stefan Krah stefan-use...@bytereef.org added the comment: Eric V. Smith rep...@bugs.python.org wrote: As I look at it a little closer, I think I'm going to change the message to: Invalid format type specified. The code has determined that instead of a type that's a single character long, it's received xx10d. That's because xx doesn't match any of [[fill]align][sign][#][0][width][,][.precision], so it must be the [type] field. I think this has the potential of being more confusing for people who are not very familiar with the format specification mini-language. I didn't look at the code now, but would the message also be raised for this spec? format(9, xx10f) I'm open to a better message, though. IMO invalid format specifier is fine. Even the existing error message is not really terrible. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13813] sysconfig.py and distutils/util.py redundancy
Jesús Cea Avión j...@jcea.es added the comment: Could you possibly provide some background?. I am afraid I am not familiar with the situation. I want to learn :) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Stefan Krah stefan-use...@bytereef.org added the comment: Stefan Krah rep...@bugs.python.org wrote: [xx10d] look at the code now, but would the message also be raised for this spec? format(9, xx10f) Argh, 'd' is of course also a valid type specifier. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13820] 2.6 is no longer in the future
New submission from Jim Jewett jimjjew...@gmail.com: http://docs.python.org/reference/lexical_analysis.html Changed in version 2.5: Both as and with are only recognized when the with_statement future feature has been enabled. It will always be enabled in Python 2.6. See section The with statement for details. Note that using as and with as identifiers will always issue a warning, even when the with_statement future directive is not in effect. That was reasonable wording for 2.5 itself, but at this point, I think it would be simpler to add a Changed in version 2.6 entry. Perhaps: Changed in version 2.5: Using as or with as identifiers triggers a warning. Using them as statements requires the with_statement future feature. Changed in Python 2.6: as and with became full keywords. -- assignee: docs@python components: Documentation messages: 151595 nosy: Jim.Jewett, docs@python priority: normal severity: normal status: open title: 2.6 is no longer in the future type: enhancement versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13820 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Guido van Rossum gu...@python.org added the comment: On Wed, Jan 18, 2012 at 3:46 PM, Antoine Pitrou rep...@bugs.python.orgwrote: Antoine Pitrou pit...@free.fr added the comment: As much as the counting idea rubs me wrong, FWIW, the original 2003 paper reported that the url-caching system that they tested used collision-counting to evade attacks. I think that was DJB's DNS server/cache actually. But deciding to limit collisions in a specific application is not the same as limiting them in the general case. Python dicts have a lot of use cases that are not limited to storing URL parameters, domain names or instance attributes: there is a greater risk of meeting pathological cases with legitimate keys. Really? This sounds like FUD to me. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
New submission from Jim Jewett jimjjew...@gmail.com: Python identifiers are in NFKC form; string method .isidentifier() returns true on strings that are not in that form. In some contexts, these non-canonical strings will be replaced with their NFKC equivalent, but in other contexts (such as the builtins hasattr, getattr, delattr) they will not. cha=chr(170) cha 'ª' cha.isidentifier() True uc.normalize(NFKC, cha) 'a' obj.ª = 5 hasattr(obj, ª) False obj.a 5 -- components: Unicode messages: 151597 nosy: Jim.Jewett, ezio.melotti priority: normal severity: normal status: open title: misleading return from isidentifier ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
Benjamin Peterson benja...@python.org added the comment: I don't see why that's invalid. str.isidentifier() returning True means Python will accept it as an identifier. -- nosy: +benjamin.peterson ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13811] In str.format, if invalid fill and alignment are specified, the text of the ValueError message is misleading.
Eric V. Smith e...@trueblade.com added the comment: The existing exceptions use the text format code for what the documentation calls type: format(9, h) Traceback (most recent call last): File stdin, line 1, in module ValueError: Unknown format code 'h' for object of type 'int' So to be consistent, it should say: format(9, xx10f) Traceback (most recent call last): File stdin, line 1, in module ValueError: Invalid format code -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13811 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
Jim Jewett jimjjew...@gmail.com added the comment: My preference would be for non_NFKC.isidentifier() to return False, but that may be a problem for backwards compatibility. It *may* be worth adding an asidentifier() method that returns either False or the canonicalized string that should be used instead. At a minimum, the documentation (including docstring) should warn that the method doesn't check for NFKC form, and that if the input is not ASCII, the caller should first ensure this by calling str1=unicodedata.normalize(NFKC, str1) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
Benjamin Peterson benja...@python.org added the comment: 2012/1/18 Jim Jewett rep...@bugs.python.org: Jim Jewett jimjjew...@gmail.com added the comment: My preference would be for non_NFKC.isidentifier() to return False It *is* an identifier, though. Python will happily accept it. It *may* be worth adding an asidentifier() method that returns either False or the canonicalized string that should be used instead. At a minimum, the documentation (including docstring) should warn that the method doesn't check for NFKC form, and that if the input is not ASCII, the caller should first ensure this by calling str1=unicodedata.normalize(NFKC, str1) Sounds fine to me. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
Jim Jewett jimjjew...@gmail.com added the comment: @Benjamin -- the catch is, if it isn't already in NFKC form, then python won't really accept it as an identifier. Sometimes it will silently canonicalize it for you so that it seems to work, but other times it won't. And program calling isidentifier is likely to be a program that uses the strings directly for access, instead of always routing them through the parser. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13821] misleading return from isidentifier
Benjamin Peterson benja...@python.org added the comment: 2012/1/18 Jim Jewett rep...@bugs.python.org: Jim Jewett jimjjew...@gmail.com added the comment: @Benjamin -- the catch is, if it isn't already in NFKC form, then python won't really accept it as an identifier. Sometimes it will silently canonicalize it for you so that it seems to work, but other times it won't. And program calling isidentifier is likely to be a program that uses the strings directly for access, instead of always routing them through the parser. AFAIK, the only time it will silently canonicalize it for you is parsing. Even if it wasn't, you can't say it's not an identifier, it's just not normalized. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13821 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13703] Hash collision security issue
Terry J. Reedy tjre...@udel.edu added the comment: You mean as a fix or that they successfully attacked a collision-counting system? Successful anticipation and blocking of hash attack: after a chain of 100 DNS 'treats the request as a cache miss'. What is somewhat special for this app is being able to bail at that point. Crosby Wallach still think 'his fix could be improved', I presume by using one of their recommended hashes. http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf section 3.2, DJB DNS server; section 5, fixes -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13703 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10109] itertools.product with infinite iterator cause MemoryError.
Terry J. Reedy tjre...@udel.edu added the comment: A relatively simple change would be to allow the first iterable to be 'infinite', when repeat==1, by not calling tuple() on it. The reason for turning the iterables into concrete sequences is because they might not be reiterable. (cycle() does the same for the same reason.) But since the first iterable is only iterated once, this does not apply to it. if repeat == 1: pools = [args[0:1]].extend(tuple(pool) for pool in args[1:]) else: pools = [tuple(pool) for pool in args] * repeat The counter argument to this or any generalized proposal is that one can expand the product() into enough loops to avoid infinite (or very large) args. For example, the following produces '1AA', '1AB', ..., '1EE', '2AA', ... indefinitely. naa=(''.join((str(n),)+s) for n in itertools.count(1) for s in itertools.product(string.ascii_uppercase[0:5], repeat=2)) RAYMOND: Do you think the doc should specify that each iterable must be finite, and that explicit loops are the alternative if not? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue10109 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13822] is(upper/lower/title) are not exactly correct
New submission from Benjamin Peterson benja...@python.org: The isupper() and islower() methods currently use the Lowercase and Uppercase derived properties. Technically, they should use the Changes_When_(Lowercased/Uppercased/Titlecased) and Changes_When_Casemapped derived properties to compute their results. -- components: Unicode messages: 151606 nosy: benjamin.peterson, ezio.melotti priority: normal severity: normal status: open title: is(upper/lower/title) are not exactly correct versions: Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13822 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2134] Add new attribute to TokenInfo to report specific token IDs
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 75baef657770 by Meador Inge in branch '2.7': Issue #2134: Clarify token.OP handling rationale in tokenize documentation. http://hg.python.org/cpython/rev/75baef657770 New changeset dfd74d752b0e by Meador Inge in branch '3.2': Issue #2134: Clarify token.OP handling rationale in tokenize documentation. http://hg.python.org/cpython/rev/dfd74d752b0e New changeset f4976fa6e830 by Meador Inge in branch 'default': Issue #2134: Add support for tokenize.TokenInfo.exact_type. http://hg.python.org/cpython/rev/f4976fa6e830 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2134 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2134] Add new attribute to TokenInfo to report specific token IDs
Meador Inge mead...@gmail.com added the comment: Fixed. Thanks for the reviews everyone. -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2134 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12705] Make compile('1\n2\n', '', 'single') raise an exception instead of silently truncating?
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 2bd7f40108b4 by Meador Inge in branch 'default': Issue #12705: Raise SyntaxError when compiling multiple statements as single interactive statement http://hg.python.org/cpython/rev/2bd7f40108b4 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12705 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12705] Make compile('1\n2\n', '', 'single') raise an exception instead of silently truncating?
Meador Inge mead...@gmail.com added the comment: Fixed in 3.3. -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12705 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7980] time.strptime not thread safe
Changes by Florent Xicluna florent.xicl...@gmail.com: -- nosy: +flox ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue7980 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11108] Intermittent AttributeError when using time.strptime in threads
Changes by Florent Xicluna florent.xicl...@gmail.com: -- nosy: +flox ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11108 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com