On Mon, Jan 27, 2014 at 5:38 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
> I would say not backport at all. The security threat is highly
> theoretical. If someone blindly accepts user values for repeat(), the
> user value can just as well be a very large positive with similar
> effects (e.g. 2**31).
>
I can not comment about whether this is security issue or not. But the
effect of large positive number is not similar to the effect of
unlimited repetitions.
>>> from itertools import repeat
>>> list(repeat('a', 2**31))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
>>> list(repeat('a', 2**99))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: Python int too large to convert to C ssize_t
>>> list(repeat('a', times=-1))
...this freezes my computer...
That is why I prefer we backport the fix (either partial or full). If
not, giving a big warning in the documentation should suffice.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4