Stefan Behnel wrote:
> Ok, but does that really make it a relevant topic for python-dev?
Sorry - I thought I was reading python-general. gmane makes it too easy to
post :-). However, I think it's worth pointing that out, in case people
think that Popen is a security panacea.
J
__
Antoine Pitrou wrote:
> Fortunately, Python's subprocess has its `shell` argument default to
> False. However, `os.system` invokes the shell implicitly and is
> therefore a possible attack vector.
Of course anything called by subprocess with shell=False may invoke the
shell itself if it runs oth
Jeremy Sanders wrote:
> Victor Stinner wrote:
>
>> If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but
>> hash(str1)!=hash(str2), strings are not compared (this is a common
>> optimization in Python), and the so the attack would not be successful
>>
Victor Stinner wrote:
> If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but
> hash(str1)!=hash(str2), strings are not compared (this is a common
> optimization in Python), and the so the attack would not be successful
> (it would be slow, but not as slow as comparing two strings).
It's a shame th
Dan Stromberg wrote:
> SIP's approach of using something close to, but not identical to, the .h's
> sounds like it might be pretty productive - especially if the derivative
> of the .h's could be automatically derived using a python script, with
> minor
> tweaks to the inputs on .h upgrades. But