Karthikeyan Singaravelan <tir.kar...@gmail.com> added the comment:
> This bug is not new, and this is the first report for it. It can be treated > as a security issue if an application allows user to specify format string. > But using a format string from untrusted source causes a security issue > itself, because this allows to spend memory and CPU time for creating an > arbitrary large string object. Also, unlikely debug builds be used in > production. My initial thought was that since the assert failed it has exposed some bug or behavior change. Also I didn't know release builds remove assert statements. Since it's a case of debug build being a problem I agree with you that impact is low since it shouldn't be used in production. > I would backport the solution of this issue to 3.6, but it is not bad if it > will be not backported. I think this is not a release blocker. Thanks, I have created a PR with tests https://github.com/python/cpython/pull/11288 . For some reason it's not linked to the issue. ---------- keywords: +patch pull_requests: +10513 stage: -> patch review _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35560> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
