Message 297468 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	steve.dower
Recipients	benjamin.peterson, georg.brandl, larry, ned.deily, paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date	2017年07月01日.04:37:07
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1498883827.43.0.157852676739.issue30730@psf.upfronthosting.co.za>

Content
It's certainly exploitable for remote code execution if user data allows embedded nulls (can you URL encode %00?). The fixes look fine and shouldn't cause any new issues, though I thought that fsencode() already rejected embedded nulls - maybe I'm thinking of the argument converter though, which is not invoked here.

Content

It's certainly exploitable for remote code execution if user data allows embedded nulls (can you URL encode %00?). The fixes look fine and shouldn't cause any new issues, though I thought that fsencode() already rejected embedded nulls - maybe I'm thinking of the argument converter though, which is not invoked here.

History
Date	User	Action	Args
2017年07月01日 04:37:07	steve.dower	set	recipients: + steve.dower, georg.brandl, paul.moore, larry, tim.golden, benjamin.peterson, ned.deily, zach.ware, serhiy.storchaka
2017年07月01日 04:37:07	steve.dower	set	messageid: <1498883827.43.0.157852676739.issue30730@psf.upfronthosting.co.za>
2017年07月01日 04:37:07	steve.dower	link	issue30730 messages
2017年07月01日 04:37:07	steve.dower	create

homepage