On 2 Aug, 15:50, Jizzai <jiz...@gmail.com> wrote: > Is a _pure_ python program buffer overflow proof? > > For example in C++ you can declare a char[9] to hold user input. > If the user inputs 10+ chars a buffer overflow occurs.
Short answer: NO Bounds checking on sequence types is a protection against buffer overflow, but is certainly not sufficient. The Python interpreter is written in C. Python extension modules are written in C (or something similar). If you find an unprotected buffer in this C code, you can possibly overflow this buffer. This can be used for nasty things like corrupting the stack and injecting malicious code. There is a reason why the Python sandbox (rexec and Bastion modules) was disabled in Python 2.3. IronPython and Jython provides better protection against buffer overflow than CPython, as these interpreters are written in safer languages (C# and Java). You thus get an extra layer of protection between the Python code and the unsafe C (used in JVM and .NET runtimes). -- http://mail.python.org/mailman/listinfo/python-list
