Guido van Rossum <[EMAIL PROTECTED]> added the comment: > 3. Google considered this enough of a potential problem to pre-emptively > fix it. Now that that problem has been publicly exposed, other careful > users will expect it to be fixed and will find Python more attractive > when it has been. > > If this is included in the next betas, the announcement of such might > say so and encourage re users to re-run any re-based test code.
I should add that the protection this offers is against attempts to cause crashes by passing bad RE "bytecode" into the _sre.compile(). It is not possibly to generate such bad RE "bytecode" by writing an evil regular expression; you must have access to the _sre module in order to be able to exploit this vulnerability. In other words, the vulnerability is equivalent to having ctypes accessible. Thus, only people who are worried about malicious use of ctypes should be worried about this vulnerability. Google's App Engine is one of those (rare) places, since it lets anybody run their Python code in a Google datacenter. If you offer the ability to run arbitrary Python code to strangers, you should worry about this. Otherwise, there is no reason to worry. _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue3487> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
