Re: [Python-Dev] __file__ and bytecode-only

On Fri, Mar 12, 2010 at 05:56:57PM -0500, Barry Warsaw wrote: > Nope, sorry I should have been clearer. > > *creation* is the key here. As per BDFL pronouncement, we'll support reading > pyc-only modules just like we do today. This is in PEP 3147. We won't > support creating them though. > > B

Re: [Python-Dev] argparse ambiguity handling

On Tue, Apr 20, 2010 at 03:27:53PM -0400, Neal Becker wrote: > I have a preference to allow at least exact matches to succeed even in the > case of ambiguity - mainly because I accidentally created this already once, > and I feel it's better to at least work somewhat. Not sure if there is any >

Re: [Python-Dev] argparse ambiguity handling

On Wed, Apr 21, 2010 at 03:53:16AM -0400, Eric Smith wrote: > I agree the new behavior is desirable. And I also think it should be the > default, although I feel less strongly about that. > > But since this behavior seems to be an accident of the implementation > (based on Steve's comment above

Re: [Python-Dev] urlparse.urlunsplit should be smarter about +

On Sun, May 09, 2010 at 03:19:40PM -0600, David Abrahams wrote: > Yes. But the question is whether urlparse should really be so fragile > that every hierarchical scheme needs to be explicitly registered. > Surely ending with “+file” should be sufficient to have it recognized > as a file-based sche

Re: [Python-Dev] PEP 3148 ready for pronouncement

On Sun, May 23, 2010 at 03:16:27PM +0400, Andrew Svetlov wrote: > Is there any reason to have Future .cancelled, .done, .running as methods? > >From my perspective they are really readonly properties. > > BTW, is 'cancelled' correct name? Spell-checkers likes only single 'l' > form: 'canceled'. I

Re: [Python-Dev] Looking after the buildbots (in general)

On Wed, Aug 04, 2010 at 07:26:06PM -0400, Barry Warsaw wrote: > On Aug 04, 2010, at 06:39 PM, Steve Holden wrote: > >I'll see if I can get God to extend it for you. > > No need to involve the supernatural Steve! Just approve that PSF grant I > submitted so I can finish my (Python powered of cours

Re: [Python-Dev] Issue5434: datetime.monthdelta

On Thu, Apr 16, 2009 at 12:10:36PM +0400, Oleg Broytmann wrote: > > This patch adds a "monthdelta" class and a "monthmod" function to the > > datetime module. The monthdelta class is much like the existing > > timedelta class, except that it represents months offset from a date, > > rather than an

Re: [Python-Dev] PEP 389: argparse - new command line parsing module

On Mon, Sep 28, 2009 at 09:38:20AM +0100, Floris Bruynooghe wrote: > On Mon, Sep 28, 2009 at 06:59:45AM +0300, Yuvgoog Greenle wrote: > > -1 for deprecating getopt. getopt is super-simple and especially useful for > > c programmers learning python. > > > > +1 for argparse.+1 for eventual deprecati

Re: [Python-Dev] PEP 389: argparse - new command line parsing module

On Thu, Oct 01, 2009 at 09:58:59AM +0100, Paul Moore wrote: > (Question - is it *ever* possible for a Unix program to have invalid > file descriptors 0,1 and 2? At startup - I'm assuming anyone who does > os.close(1) knows what they are doing!) Yes, at startup you just have the file descriptors yo

Re: [Python-Dev] datetime module enhancements

"\"Martin v. Löwis\"" <[EMAIL PROTECTED]> wrote: > There are know problems comparing durations (e.g. is 30 days more > or less than a month?). For time stamps, there is no issue. For > calender dates, there are again problems, in particular with time > zones. Python durations (datetime.timedelta)

Re: [Python-Dev] datetime module enhancements

Brett Cannon <[EMAIL PROTECTED]> wrote: > > Treat dates as if they have a time-part of midnight. This is my preferred > > solution, and it is already what the datetime module does, for example, > > when subtracting two dates. > > I personally like the current solution. The proposal to just assume

Re: [Python-Dev] datetime module enhancements

"Phillip J. Eby" <[EMAIL PROTECTED]> wrote: > At 09:20 PM 3/9/2007 +, Jon Ribbens wrote: > >If you want the answer to be "the entire of that day" then you need > >to alter the datetime module so that, e.g. subtracting 2007-03-08 > >from 2007-03

Re: [Python-Dev] datetime module enhancements

Steven Bethard <[EMAIL PROTECTED]> wrote: > Using the .date() is fine when the year/month/day doesn't match. So > the following are fine:: > datetime.datetime(2005, 1, 1, 0, 0, 0) < datetime.date(2006, 1, 1) > datetime.datetime(2007, 1, 1, 0, 0, 0) > datetime.date(2006, 1, 1) > It's *not*

Re: [Python-Dev] datetime module enhancements

Christian Heimes <[EMAIL PROTECTED]> wrote: > Jon Ribbens schrieb: > > So you're deciding that a 'date' is 'the entire of that day', except > > when you subtract two of them, when it suddenly means something else? ;-) > > It makes kinda s

Re: [Python-Dev] datetime module enhancements

Christian Heimes <[EMAIL PROTECTED]> wrote: > > What do you feel "next Tuesday plus 12 hours" means? ;-) > > First thought: It's nonsense! Nobody would say that. ;) > > Second though: Tuesday noon (12h after the beginning of Tuesday) I agree with you entirely. Your suggestions correspond to 'thr

Re: [Python-Dev] datetime module enhancements

Robert Brewer <[EMAIL PROTECTED]> wrote: >> One solution that just occurred to me -- and that >> skirts the issue of choosing an interpretation -- >> is that, when comparing date and datetime objects, >> the datetime's .date() method is called and the >> result of that call is c

Re: [Python-Dev] datetime module enhancements

Steven Bethard <[EMAIL PROTECTED]> wrote: > I don't see why the docs can't be explicit about what subtraction > means given that there are a number of possible interpretations. I don't see why the docs can't be explicit about what comparison means given that there are a number of possible interpre

Re: [Python-Dev] datetime module enhancements

I see you snipped without response my request to back up your claim that "assuming that a date() is a datetime() with a time of midnight will clearly break that logic". Am I to assume you cannot back it up? ___ Python-Dev mailing list Python-Dev@python.o

Re: [Python-Dev] datetime module enhancements

Steven Bethard <[EMAIL PROTECTED]> wrote: > I was trying to minimize the extent of this already too long thread, > assuming you could go do the reading I referred you to if you were > really interested in the answer. There's nothing to be gained by being patronising. > I still encourage you to re

Re: [Python-Dev] datetime module enhancements

Collin Winter <[EMAIL PROTECTED]> wrote: > Please find or write a package that makes the assumptions you want, > since datetime clearly isn't the module you want. Datetime clearly *is* the module I want. It already makes the assumptions I want, I just want it to make them consistently. ___

Re: [Python-Dev] These csv test cases seem incorrect to me...

Andrew McNamara <[EMAIL PROTECTED]> wrote: > The point was to produce the same results as Excel. Sure, Excel probably > doesn't generate crap like this itself, but 3rd parties do, and people > complain if we don't parse it just like Excel (sigh). The slight problem with copying Excel is that Excel

Re: [Python-Dev] thread safe SMTP module

Gordon Messmer <[EMAIL PROTECTED]> wrote: > After some discussion, Aahz suggested that I discuss the problem here, > on python-dev. He seemed to think that the problem I saw may have been > an indication of a bug in python. Could anyone take a look at that > thread and say whether it looks lik

Re: [Python-Dev] thread safe SMTP module

Aahz <[EMAIL PROTECTED]> wrote: > One small wrinkle (and the reason I suggested bringing this to > python-dev): I suspect that the problem is not a bug, but simply the > occasional failure of sockets. When that happens in a threaded app > without timeouts, eventually threads "die" (block forever).

Re: [Python-Dev] thread safe SMTP module

Gordon Messmer <[EMAIL PROTECTED]> wrote: > Tonight I should have time to pull an old copy of the code out of CVS > and recreate the test script that I used. Once I have, it should be a > matter of feeding a big list of email addresses to the script and > waiting a couple of minutes for the scr

Re: [Python-Dev] Status of thread cancellation

Nick Maclaren <[EMAIL PROTECTED]> wrote: > Sockets, terminals etc. are stateful devices, and killing a process > can leave them in a very unclean state. It is one of the most > common causes of unkillable processes (the process can't go until > its files do, and the socket is jammed). Can you ela

Re: [Python-Dev] Status of thread cancellation

Nick Maclaren <[EMAIL PROTECTED]> wrote: > Well, I have seen it hundreds of times on a dozen different Unices; > it is very common. You don't always SEE the stuck process - sometimes > the 'kill -9' causes the pid to become invisible to ps etc., and > just occasionally it can continue to use CPU u

Re: [Python-Dev] deprecate commands.getstatus()

"\"Martin v. Löwis\"" <[EMAIL PROTECTED]> wrote: > > And do we even need os.fork(), os.exec*(), os.spawn*()? > > I don't know about about *os*.fork; I surely like to have posix.fork. > The posix module exposes many OS functions as-is. This has the > advantage that their semantics are crystal-clea

Re: [Python-Dev] python3k change to slicing

Guido van Rossum <[EMAIL PROTECTED]> wrote: > -1 Me too. > While this may be theoretically preferable, I believe that in practice > changing this would be a major pain for very little gain. I don't > recall ever finding a bug related to this feature, and I believe it's > occasionally useful. I f

Re: [Python-Dev] Implicit String Concatenation and Octal Literals Was: PEP 30XZ: Simplified Parsing

On Wed, May 02, 2007 at 10:23:39PM -0700, Raymond Hettinger wrote: > Another way to look at it is to ask whether we would consider > adding implicit string concatenation if we didn't already have it. > I think there would be a chorus of emails against it Personally, I would have been irritated if

Re: [Python-Dev] The docs, reloaded

On Sat, May 19, 2007 at 07:14:09PM +0200, Georg Brandl wrote: > For the impatient: the result can be seen at . I think that looks great. One comment I have, I don't know if it's relevant - it perhaps depends on whether the "Global Module Index" is auto-generated or not. T

Re: [Python-Dev] The docs, reloaded

On Tue, May 22, 2007 at 06:13:36PM +0200, Georg Brandl wrote: > Finding the location that tells you how to suggest changes, and opening > a new bug in the infamous SF tracker is not really something people do > happily. A "click here to suggest a change" link that leads to a pseudo- > edit-form, co

Re: [Python-Dev] The docs, reloaded

On Tue, May 22, 2007 at 01:19:36PM -0400, Steve Holden wrote: > > For example, this rocks! :: > > > > http://pydoc.gbrandl.de/search.html?q=os.path&area=default > > It would be more impressive if the search string returned hits ... Also if it was not completely reliant on JavaScript... (Maybe

Re: [Python-Dev] TLSAbruptCloseError

On Tue, Jun 05, 2007 at 12:55:07PM -0400, Todd Hopfinger wrote: >I am using TLS Lite and J2ME SecureConnection for the purposes of >encrypting traffic to/from a Java Midlet client and a multithreaded Python >server. However, I encounter a TLSAbruptCloseError. I have tried to >determ

Re: [Python-Dev] Pythreads and BSD descendants

On Thu, Jul 26, 2007 at 04:08:37PM +, Cameron Laird wrote: > Folklore that I remember so unreliably I avoid trying to repeat it here > held that Python threading had problems on BSD and allied Unixes. What's > the status of this? I suspect the answer is, "Everything works, and the > only real

Re: [Python-Dev] Removing the GIL (Me, not you!)

On Thu, Sep 13, 2007 at 12:19:21PM +0200, André Malo wrote: > > Pardon my ignorance but why does Python do reference counting for truly > > global and static objects like None, True, False, small and cached > > integers, sys and other builtins? If I understand it correctly these > > objects are nev

Re: [Python-Dev] Removing the GIL (Me, not you!)

On Thu, Sep 13, 2007 at 01:15:39PM +0200, "Martin v. Löwis" wrote: > > To put it another way, would it actually matter if the reference > > counts for such objects became hopelessly wrong due to non-atomic > > adjustments? > > If they drop to zero (which may happen due to non-atomic adjustments),

Re: [Python-Dev] Removing the GIL (Me, not you!)

On Thu, Sep 13, 2007 at 06:38:05PM -0500, [EMAIL PROTECTED] wrote: > Hrvoje> More precisely, Python will call the deallocator appropriate for > Hrvoje> the object type. If that deallocator does nothing, the object > Hrvoje> continues to live. Such objects could also start out with a >

Re: [Python-Dev] Removing the GIL (Me, not you!)

On Fri, Sep 14, 2007 at 03:30:49PM -0400, Jean-Paul Calderone wrote: > > I don't really like the maxint/2 idea because it requires us to > >differentiate between globals and everything else. Plus, it's a hack. I'd > >like a more elegant solution if possible. > > It's not really a solution either.

Re: [Python-Dev] Does Python need a file locking module (slightly higher level)?

On Tue, Oct 23, 2007 at 12:16:41PM +1300, Greg Ewing wrote: > [EMAIL PROTECTED] wrote: > > This interface follows the completely stupid semantics of System V and > > IEEE Std 1003.1-1988 (``POSIX.1'') that require that all locks > > associated with a file for a given process are removed

Re: [Python-Dev] Does Python need a file locking module (slightly higher level)?

On Tue, Oct 23, 2007 at 12:29:35PM +1300, Greg Ewing wrote: > [EMAIL PROTECTED] wrote: > > Does fcntl.flock work over NFS and SMB and on Windows? > > I don't think file locking will ever work over NFS, since > it's a stateless protocol by design, and locking would > require maintaining state on th

Re: [Python-Dev] PEP: per user site-packages directory

On Mon, Jan 14, 2008 at 03:07:20PM -0500, Barry Warsaw wrote: > I feel pretty strongly that ~/bin should *not* be used. It makes > sense to me that ~/.local would mirror /usr/local. It makes sense, but personally I have never heard before of ~/.local. Whereas ~/bin is something I am quite famil

Re: [Python-Dev] trunc()

On Mon, Jan 28, 2008 at 08:07:21PM -0800, Guido van Rossum wrote: > PS. There's something wrong with Raymond's mailer that creates a > thread in gmail whenever he responds. I suspect it's not correctly > adding an In-reply-to header. That makes the thread feel much more > disconnected than most, be

Re: [Python-Dev] Py3k and asyncore/asynchat

On Fri, Feb 15, 2008 at 09:24:14AM -0500, A.M. Kuchling wrote: > On Thu, Feb 14, 2008 at 06:24:04PM -0800, Josiah Carlson wrote: > > 1.a. Figure out what the hell is up with OOB data, how to handle it, > > and stop making it use handle_expt(). > > Does OOB data actually need to be supported? For

Re: [Python-Dev] Consistent platform name for 64bit windows (was: distutils.util.get_platform() for Windows)

On Wed, Mar 19, 2008 at 02:05:37AM +0900, [EMAIL PROTECTED] wrote: > So, at the risk of painting a bike-shed, I'd like to propose that we adopt > 'AMD64' in distutils (needs a change), platform.py (needs a change to use > sys.getwindowsversion() in preference to pywin32, if possible, anyway), > and

Re: [Python-Dev] utf-8 encoding in checkins?

On Sun, Mar 27, 2011 at 05:21:08PM +0200, Antoine Pitrou wrote: > On Sun, 27 Mar 2011 10:06:49 -0500 > s...@pobox.com wrote: > > It seems that all checkin mails are utf-8-encoded. This makes it > > challenging to view checkin mails if you have a text-based mail reader. (I > > use VM within XEmacs

Re: [Python-Dev] utf-8 encoding in checkins?

On Sun, Mar 27, 2011 at 02:13:29PM -0400, Eugene Toder wrote: > > I'm not disputing that, and I understand that my current choice of mail > > reader limits me.  I was just asking if it would be possible (read: fairly > > easy) to only generate utf-8 when it was necessary. > > Isn't utf-8 itself sa

Re: [Python-Dev] utf-8 encoding in checkins?

On Sun, Mar 27, 2011 at 02:21:25PM -0400, R. David Murray wrote: > > Mind you, I've never managed to get the <-- button working reliably > > either, but to be fair that's insanely complicated too. > > No idea what that is. "Backspace" key. ___ Python-De

Re: [Python-Dev] Rework nntlib?

On Tue, Sep 14, 2010 at 11:43:46AM -0500, s...@pobox.com wrote: > We got rid of gopherlib a few years ago (deprecated in 2.5, presumably gone > in 2.6). I suspect the NNTP protocol has a greatly diminished user base as > well, GMANE's presence notwithstanding. NNTP is *very* considerably less dea

Re: [Python-Dev] Rework nntlib?

On Tue, Sep 14, 2010 at 05:22:59PM -0400, Steve Holden wrote: > On 9/14/2010 4:40 PM, Jon Ribbens wrote: > > NNTP is *very* considerably less dead than gopher. > > That's an interesting metric. Would you like to list the extant > libraries implementing protocol

Re: [Python-Dev] Distutils2 scripts

On Fri, Oct 08, 2010 at 01:24:09PM +0200, Dirkjan Ochtman wrote: > On Fri, Oct 8, 2010 at 09:05, Tarek Ziadé wrote: > > The feedback I received for this is pretty clear: people want a single > > script that can be called directly. e.g. > > > > $ distutils2 depgraph > > $ distutils2 install > > $ d

Re: [Python-Dev] Distutils2 scripts

On Fri, Oct 08, 2010 at 11:04:35AM -0400, Toshio Kuratomi wrote: > In the larger universe of programs, it might make for more intuitive > remembering of the command to use a prefix (either py or python) though. > > python-setup is a lot like python setup.py > pysetup is shorter > pyegg is even sh

Re: [Python-Dev] FreeBSD 7 amd64 and large memory tests

On Wed, Sep 17, 2008 at 08:21:55AM -0700, Alex Martelli wrote: > Unbelievable as this may seem, this crazy over-committing malloc > behavior is by now "a classic" -- I first fought against it in 1990, > when IBM released AIX 3 for its then-new RS/6000 line of workstations; > in a later minor releas

Re: [Python-Dev] Status on PEP-431 Timezones

On Mon, Jul 27, 2015 at 01:04:03AM -0500, Tim Peters wrote: > [Tim] > >> The Python docs also are quite clear about that all arithmetic within > >> a single timezone is "naive". That was intentional. The _intended_ > >> way to do "aware" arithmetic was always to convert to UTC, do the > >> arithm

Re: [Python-Dev] Status on PEP-431 Timezones

On Mon, Jul 27, 2015 at 04:28:48PM -0700, Chris Barker wrote: > > The only other thing I found > > really weird about datetime is how Python 2 had no implementation of > > a UTC tzinfo class, despite this being utterly trivial - > >Huh? it is either so trivial that there is no p

Re: [Python-Dev] What does a double coding cookie mean?

On Tue, Mar 15, 2016 at 01:30:08PM -0700, Guido van Rossum wrote: > I came across a file that had two different coding cookies -- one on > the first line and one on the second. CPython uses the first, but mypy > happens to use the second. I couldn't find anything in the spec or > docs ruling out th

[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

I've made another attempt at Python sandboxing, which does something which I've not seen tried before - using the 'ast' module to do static analysis of the untrusted code before it's executed, to prevent most of the sneaky tricks that have been used to break out of past attempts at sandboxes. In s

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Fri, Apr 08, 2016 at 03:37:45PM +0100, Paul Moore wrote: > On 8 April 2016 at 15:18, Jon Ribbens > wrote: > > I would be very interested to see if anyone can manage to break it. > > Bugs which are trivially fixable are of course welcomed, but the real > > quest

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Fri, Apr 08, 2016 at 05:21:38PM +0200, Arthur Darcet wrote: >If i'm not mistaken, this breaks out: >> exec('open("out", "w").write("a")', {}) >because if the second argument of exec does not contain a __builtins__ >key, then a copy of the original builtins module is inserted: >

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Fri, Apr 08, 2016 at 05:49:12PM +0200, Marcin Kościelnicki wrote: > On 08/04/16 16:18, Jon Ribbens wrote: > That one is trivially fixable, but here goes: > > async def a(): > global c > c = b.cr_frame.f_back.f_back.f_back > > b = a() > b.send(None) >

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Sat, Apr 09, 2016 at 02:20:49AM +1000, Chris Angelico wrote: > On Sat, Apr 9, 2016 at 12:18 AM, Jon Ribbens > wrote: > > Anyway the code is at https://github.com/jribbens/unsafe > > It requires Python 3.4 or later (it could probably be made to work on > > Python 2.7 as

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Sat, Apr 09, 2016 at 02:43:19PM +0200, Victor Stinner wrote: >Please don't loose time trying yet another sandbox inside CPython. It's >just a waste of time. It's broken by design. > >Please read my email about my attempt (pysandbox): >https://lwn.net/Articles/574323/ > >And

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Sun, Apr 10, 2016 at 02:51:23PM +1000, Nick Coghlan wrote: > On 9 April 2016 at 22:43, Victor Stinner wrote: > > See pysandbox test suite for a lot of ways to escape a sandbox. CPython has > > a list of know code to crash CPython (I don't recall the dieectory in > > sources), even with the late

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Mon, Apr 11, 2016 at 12:07:48AM +0300, Serhiy Storchaka wrote: > On 10.04.16 19:51, Jon Ribbens wrote: > >On Sun, Apr 10, 2016 at 02:51:23PM +1000, Nick Coghlan wrote: > >>On 9 April 2016 at 22:43, Victor Stinner wrote: > >>>See pysandbox test suite for a l

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Sun, Apr 10, 2016 at 02:08:16PM -0700, Nikolaus Rath wrote: > On Apr 10 2016, Jon Ribbens wrote: > > On Sat, Apr 09, 2016 at 02:43:19PM +0200, Victor Stinner wrote: > > That's the opposite of my approach though - I'm starting small and > > adding things, n

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Mon, Apr 11, 2016 at 11:40:05AM +0200, Victor Stinner wrote: > 2016-04-10 18:43 GMT+02:00 Jon Ribbens : > > That's the opposite of my approach though - I'm starting small and > > adding things, not starting with everything and removing stuff. Even > > if what

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Mon, Apr 11, 2016 at 08:35:11AM -0700, Nikolaus Rath wrote: > On Apr 11 2016, Jon Ribbens wrote: > >> What I see is that you asked to break your sandbox, and less than 1 > >> hour later, a first vulnerability was found (exec called with two > >> parameters

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Mon, Apr 11, 2016 at 04:04:21PM +0100, Paul Moore wrote: > However, it's not at all clear (to me at least) what you *are* trying > to do. I'm trying to see to what extent we can use ast node inspection to remedy the failures of prior attempts at Python sandboxing. Is there *any* extent to which

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 03:02:54AM +1000, Chris Angelico wrote: > On Tue, Apr 12, 2016 at 2:53 AM, Jon Ribbens > wrote: > > On Mon, Apr 11, 2016 at 04:04:21PM +0100, Paul Moore wrote: > >> However, it's not at all clear (to me at least) what you *are* trying > >&g

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 01:08:36PM +1200, Greg Ewing wrote: > Jon Ribbens wrote: > >So far it looks like blocking "_*" and the frame object attributes > >appears to be sufficient. > > Even if your sandbox as it currently exists is secure, it's > only an ext

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 06:28:34PM +1000, Chris Angelico wrote: > On Sat, Apr 9, 2016 at 12:18 AM, Jon Ribbens > wrote: > > Anyway the code is at https://github.com/jribbens/unsafe > > It requires Python 3.4 or later (it could probably be made to work on > > Python 2.7 as

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 06:57:37PM +1000, Chris Angelico wrote: > And yes, you win if you get another module. Interestingly, you're > allowed to import urllib.parse, but not urllib itself; but "import > urllib.parse" makes urllib available - and, since modules inside > modules are blacklisted, "url

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 08:27:14PM +1000, Chris Angelico wrote: > On Tue, Apr 12, 2016 at 8:06 PM, Jon Ribbens > wrote: > > No, it still isn't. If the names blacklist had to keep being extended > > then you would be right, but that hasn't happened so far. Whitelists &g

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 06:21:04AM -0400, Isaac Morland wrote: > On Tue, 12 Apr 2016, Jon Ribbens wrote: > >>This is still a massive game of whack-a-mole. > > > >No, it still isn't. If the names blacklist had to keep being extended > >then you would be rig

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 01:38:09PM +0200, Maciej Fijalkowski wrote: > Jon, let me reiterate. You asked people to break it (that's the title > of the thread) and they did so almost immediately. Then you patched > the thing and asked them to break it again and they did. Now the > faulty assumption he

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 02:05:06PM +0200, Victor Stinner wrote: > 2016-04-12 13:10 GMT+02:00 Jon Ribbens : > > No, it's a matter of reducing the whitelist. I must admit that > > I don't understand in what way this is not already clear. Look: > > > > &

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 02:31:19PM +0200, Victor Stinner wrote: > Oh, I forgot to mention another vulnerability: you block access to > attributes by replacing getattr and by analyzing the AST. Ok, but one > more time, it's not enough. If you get access to obj.__dict__, you > will likely get access

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 02:16:57PM +0200, Victor Stinner wrote: > I read your code and the code of CPython. I found many issues. Thanks for your efforts. > Your "safe import" hides real functions with a proxy. Ok. But the code > of modules is still run in the real namespace, Yes, that was the in

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 10:45:06PM +1000, Chris Angelico wrote: > On Tue, Apr 12, 2016 at 10:42 PM, Jon Ribbens > wrote: > > That's not a vulnerability, and it's something I already explicitly > > mentioned - if you can get a function to return an object's __dict

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 11:03:11PM +1000, Chris Angelico wrote: > One of the key differences with scripts in web browsers is that there > *is* no "outer environment" to access. If you think that then I think you considerably misunderstand how modern browsers work. > Remember what I said about the

Re: [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

On Tue, Apr 12, 2016 at 01:40:57PM +, David Wilson wrote: > On Tue, Apr 12, 2016 at 11:12:27PM +1000, Steven D'Aprano wrote: > > I can think of one possible threat. Suppose that the locale library > > has a bug, so that calling "aardvark".isdigit seg faults, potentially > > executing arbitrary

[Python-Dev] SSL sockets and settimeout

Am I correct in thinking that Python's newfangled socket.settimeout() feature does not play well with SSL wrapped sockets? Would there be any interest in making it so that it did? ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/m

Re: [Python-Dev] python 3 niggle: None < 1 raises TypeError

On Mon, Feb 17, 2014 at 12:43:25PM +0100, M.-A. Lemburg wrote: > This doesn't only apply to numeric comparisons. In Python 2 you > can compare None with any kind of object and it always sorts first, No you can't. See http://bugs.python.org/issue1673405 . According to Tim Peters, the "None is less