On Tue, Apr 15, 2014 at 7:28 PM, Richard Kettlewell <r...@greenend.org.uk> wrote: > This program is on a security boundary, the pathological cases are > precisely the ones the attacker looks for. > > (It’s hard to see how an attacker could turn this into a useful attack. > But perhaps the attacker has more imagination than me.)
Quite frankly, I don't even care :) It's easy enough to fix the bug. The idiomatic code will compile without warnings *and* be secure, so I'm not seeing any reason to use the existing form. All I'm saying is that it's normally going to happen to work; sure, an attacker might well be able to get into something (although if you can generate 4GB of environment, the fact that it doesn't get zeroed is likely to be less of a concern than the massive DOS potential of a huge env!!), but casual usage will have it seeming to work. The obvious solution is right in every possible way, so that's the thing to do moving forward. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
