On Sun, Jan 9, 2022 at 7:35 PM Stephen J. Turnbull
wrote:
>
> Chris Angelico writes:
>
> > Not completely, just very minorly. I'm distinguishing between attacks
> > that can be triggered remotely, and those which require the attacker
> > to run specific Python code. For example, using ctypes
>
Chris Angelico writes:
> Not completely, just very minorly. I'm distinguishing between attacks
> that can be triggered remotely, and those which require the attacker
> to run specific Python code. For example, using ctypes
OK. AFAICT that was a red herring introduced to the thread solely to
On Fri, Jan 7, 2022 at 6:09 PM Stephen J. Turnbull
wrote:
>
> Chris Angelico writes:
>
> > Python source code is not user input though. So there has to be a way
> > for someone to attack a Python-based service, like attacking a web app
> > by sending HTTP requests to it.
>
> Not sure what your
Chris Angelico writes:
> Python source code is not user input though. So there has to be a way
> for someone to attack a Python-based service, like attacking a web app
> by sending HTTP requests to it.
Not sure what your point is. Of course there has to be a vector. But
as a Mailman
On Fri, Jan 7, 2022 at 2:57 PM Stephen J. Turnbull
wrote:
>
> Patrick Reader writes:
>
> > And Python is not like JavaScript (in the browser), where code is
> > supposed to be run in a total sandbox. Python is not supposed to be a
> > completely memory-safe language. You can always access
Patrick Reader writes:
> And Python is not like JavaScript (in the browser), where code is
> supposed to be run in a total sandbox. Python is not supposed to be a
> completely memory-safe language. You can always access memory manually
> using `ctypes`, or, ultimately, `/proc/self/mem`.
This is also at https://bugs.python.org/issue46280. Please direct
comments there.
Eric
On 1/6/2022 8:22 AM, lxr1210--- via Python-Dev wrote:
Hi all,
I am currently doing some research on the security of CPython. I used
the open source vulnerability analysis engine,
On 06/01/2022 15:21, Petr Viktorin wrote:
Sometimes there's a bug worth fixing, sometimes it's even an actual
vulnerability, but in my experience, most of what tools find in
CPython is not actionable.
If you do find a security vulnerability, consider reporting it
privately to the security
On 06. 01. 22 14:22, lxr1210--- via Python-Dev wrote:
Hi all,
I am currently doing some research on the security of CPython. I used
the open source vulnerability analysis engine,
Infer(https://fbinfer.com/), to scan the native code of CPython 3.10.0.
The scan results show that there are
On Fri, Jan 7, 2022 at 1:59 AM lxr1210--- via Python-Dev
wrote:
>
> Hi all,
>
> I am currently doing some research on the security of CPython. I used the
> open source vulnerability analysis engine, Infer(https://fbinfer.com/), to
> scan the native code of CPython 3.10.0.
>
> The scan results
10 matches
Mail list logo
