Add discussion of security issues.

This commit is contained in:
Martin v. Löwis 2009-06-02 21:00:50 +00:00
parent 59008e8009
commit d2a8910fd3
1 changed files with 11 additions and 0 deletions

View File

@ -104,6 +104,17 @@ will produce non-sensical data.
Data obtained from other sources may conflict with data produced Data obtained from other sources may conflict with data produced
by this PEP. Dealing with such conflicts is out of scope of the PEP. by this PEP. Dealing with such conflicts is out of scope of the PEP.
This PEP allows to "smuggle" bytes in character strings. This would
be a security risk if the bytes are security-critical when interpreted
as characters on a target system, such as path name separators. For
this reason, the PEP rejects smuggling bytes below 128. If the target
system uses EBCDIC, such smuggled bytes may still a security risk,
allowing to smuggle, e.g. square brackets or the backslash. Python
currently does not support EBCDIC, so this should not be a problem in
practice. Anybody porting Python to an EBCDIC system might want to
adjust the error handlers, or come up with other approaches to address
the security risks.
Encodings that are not compatible with ASCII are not supported by Encodings that are not compatible with ASCII are not supported by
this specification; bytes in the ASCII range that fail to decode this specification; bytes in the ASCII range that fail to decode
will cause an exception. It is widely agreed that such encodings will cause an exception. It is widely agreed that such encodings