Hacking day at my house
Sep. 16th, 2013 08:02 amLast week the BACON-PIG decided to have an informal sprint to hack on core Python, and today we held it at my (newly-purchased!) house.
Barry Warsaw is the release manager for Python 2.6.9, so we looked at various release-blocking issues for 2.6.9. The bulk of them at this time are various DDoS possibilities where .readline()
is called with no size limitation. An attacker can then feed large amounts of data and consuming an arbitrary amount of memory. The fixes all take the same general pattern: add a size limitation to the .readline()
call that varies depending on the protocol, and then report an error if the line hits the limit.
I also committed the traceback.clear_frames()
function that I was working on last week.