Guido van Rossum wrote: > I found this comment in Parser/tokenizer.c: > > /* We don't use PyErr_WarnExplicit() here because > printing the line in question to e.g. a log file > could result in sensitive information being > exposed. */ > > I didn't see a SF reference there or in the CVS checkin comment, so > I'm stumped. What's the use case? The use case is easily explained: I have gotten a lot of emails from various people about the new source code encoding feature and the warning that is generated for code lines which have non-ASCII characters in them if the file doesn't have a coding header. Many of these people mentioned that webserver logs (for CGI scripts) would get flooded with these warnings and that there is a potential security breach here if a source line is being copied into to these logs. It is rather common that these logs are world readable, so passwords and other sensible information could easily escape the script's source code, e.g. login information for databases. > How could copying a line of source > code to a log file possibly expose information that the owner of the > log file (often root) doesn't already have access to? The problem is not the owner of the log file, it's the access permissions that introduce the problem. -- Marc-Andre Lemburg eGenix.com Professional Python Software directly from the Source (#1, Feb 19 2003) >>> Python/Zope Products & Consulting ... http://www.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ Python UK 2003, Oxford: 41 days left EuroPython 2003, Charleroi, Belgium: 125 days left
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4