Re: Is python buffer overflow proof?

2009-08-07 Thread Fuzzyman
On Aug 4, 6:06 am, John Nagle wrote: > Gabriel Genellina wrote: > > En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden > > escribió: > > >> On 2 Aug, 15:50, Jizzai wrote: > > >>> Is a _pure_ python program buffer overflow proof? > > >>> For example in C++ you can declare a char[9] to hold user inp

Re: Is python buffer overflow proof?

2009-08-07 Thread Fuzzyman
On Aug 3, 10:04 pm, sturlamolden wrote: > On 2 Aug, 15:50, Jizzai wrote: > > > Is a _pure_ python program buffer overflow proof? > > > For example in C++ you can declare a char[9] to hold user input. > > If the user inputs 10+ chars a buffer overflow occurs. > > Short answer: NO > > Bounds checki

Re: Is python buffer overflow proof?

2009-08-07 Thread Thorsten Kampe
* Neil Hodgson (Tue, 04 Aug 2009 13:32:55 GMT) > Thorsten Kampe: > > You cannot create "your own" buffer overflow in Python as you can in C > > and C++ but your code could still be vulnerable if the underlying Python > > construct is written in C. > >Python's standard library does now inclu

Re: Is python buffer overflow proof?

2009-08-04 Thread sturlamolden
On Aug 4, 2:27 pm, Tim Chase wrote: > You *can* shoot yourself in the foot with Python, you just have > to aim much more carefully than you do with C/C++. You can e.g. define a class with a __del__ method and make some circular references. That should give you a nice memory leak. -- http://mai

Re: Is python buffer overflow proof?

2009-08-04 Thread Neil Hodgson
Thorsten Kampe: > You cannot create "your own" buffer overflow in Python as you can in C > and C++ but your code could still be vulnerable if the underlying Python > construct is written in C. Python's standard library does now include unsafe constructs. import ctypes x = '1234' # Munging b

Re: Is python buffer overflow proof?

2009-08-04 Thread Tim Chase
Marcus Wanner wrote: On 8/3/2009 3:45 AM, Diez B. Roggisch wrote: But you can cast the resulting pointer to an array of larger size, and there you are. Ah, that makes sense. I had forgotten about ctypes.cast(). You *can* shoot yourself in the foot with Python, you just have to aim much more

Re: Is python buffer overflow proof?

2009-08-04 Thread Thorsten Kampe
* Jizzai (Sun, 02 Aug 2009 13:50:14 GMT) > Is a _pure_ python program buffer overflow proof? You cannot create "your own" buffer overflow in Python as you can in C and C++ but your code could still be vulnerable if the underlying Python construct is written in C. See [1] for instance. Thorsten

Re: Is python buffer overflow proof?

2009-08-04 Thread Christian Heimes
John Nagle wrote: A more useful question is whether the standard libraries are being run through any of the commercial static checkers for possible buffer overflows. The CPython interpreter is constantly checked with http://www.coverity.com/. Although Python is used for critical stuff at

Re: Is python buffer overflow proof?

2009-08-04 Thread Gabriel Genellina
En Tue, 04 Aug 2009 02:06:06 -0300, John Nagle escribió: Gabriel Genellina wrote: En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden escribió: On 2 Aug, 15:50, Jizzai wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input.

Re: Is python buffer overflow proof?

2009-08-04 Thread Paul Rubin
Steven D'Aprano writes: > The point is that code you write yourself can rely on "pure Python" to be > free of buffer-overflows (for some definition of "rely") rather than > having to worry about managing memory yourself. Right. Basically the Python interpreter protects you reasonably well from

Re: Is python buffer overflow proof?

2009-08-03 Thread Steven D'Aprano
On Mon, 03 Aug 2009 21:34:15 -0700, Paul Rubin wrote: > Steven D'Aprano writes: >> > The Python interpreter is written in C. Python extension modules are >> > written in C (or something similar). If you find an unprotected >> > buffer in this C code, you can possibly overflow this buffer. >> >>

Re: Is python buffer overflow proof?

2009-08-03 Thread John Nagle
Gabriel Genellina wrote: En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden escribió: On 2 Aug, 15:50, Jizzai wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. Sh

Re: Is python buffer overflow proof?

2009-08-03 Thread Paul Rubin
Steven D'Aprano writes: > > The Python interpreter is written in C. Python extension modules are > > written in C (or something similar). If you find an unprotected buffer > > in this C code, you can possibly overflow this buffer. > > How are C extension modules "_pure_ python"? A lot of basic

Re: Is python buffer overflow proof?

2009-08-03 Thread Steven D'Aprano
On Mon, 03 Aug 2009 14:04:53 -0700, sturlamolden wrote: > On 2 Aug, 15:50, Jizzai wrote: > >> Is a _pure_ python program buffer overflow proof? >> >> For example in C++ you can declare a char[9] to hold user input. If the >> user inputs 10+ chars a buffer overflow occurs. > > Short answer: NO >

Re: Is python buffer overflow proof?

2009-08-03 Thread Gabriel Genellina
En Mon, 03 Aug 2009 18:04:53 -0300, sturlamolden escribió: On 2 Aug, 15:50, Jizzai wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. Short answer: NO Bounds ch

Re: Is python buffer overflow proof?

2009-08-03 Thread sturlamolden
On 2 Aug, 15:50, Jizzai wrote: > Is a _pure_ python program buffer overflow proof? > > For example in C++ you can declare a char[9] to hold user input. > If the user inputs 10+ chars a buffer overflow occurs. Short answer: NO Bounds checking on sequence types is a protection against buffer over

Re: Is python buffer overflow proof?

2009-08-03 Thread Marcus Wanner
On 8/3/2009 3:45 AM, Diez B. Roggisch wrote: Marcus Wanner schrieb: On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can bre

Re: Is python buffer overflow proof?

2009-08-03 Thread Diez B. Roggisch
Marcus Wanner schrieb: On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily. C

Re: Is python buffer overflow proof?

2009-08-02 Thread Marcus Wanner
On 8/2/2009 10:43 AM, Christian Heimes wrote: Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily. Christian I see. I thoug

Re: Is python buffer overflow proof?

2009-08-02 Thread Steven D'Aprano
On Sun, 02 Aug 2009 13:50:14 +, Jizzai wrote: > Is a _pure_ python program buffer overflow proof? It's supposed to be. > For example in C++ you can declare a char[9] to hold user input. If the > user inputs 10+ chars a buffer overflow occurs. > > In python, I cannot seem to find a way to de

Re: Is python buffer overflow proof?

2009-08-02 Thread Christian Heimes
Marcus Wanner wrote: I believe that python is buffer overflow proof. In fact, I think that even ctypes is overflow proof... No, ctypes isn't buffer overflow proof. ctypes can break and crash a Python interpreter easily. Christian -- http://mail.python.org/mailman/listinfo/python-list

Re: Is python buffer overflow proof?

2009-08-02 Thread Marcus Wanner
On 8/2/2009 9:50 AM, Jizzai wrote: Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. In python, I cannot seem to find a way to define/restrict a string length. This is probabl

Is python buffer overflow proof?

2009-08-02 Thread Jizzai
Is a _pure_ python program buffer overflow proof? For example in C++ you can declare a char[9] to hold user input. If the user inputs 10+ chars a buffer overflow occurs. In python, I cannot seem to find a way to define/restrict a string length. This is probably by design and raises the topic in