Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!news2.euro.net!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.023 X-Spam-Evidence: '*H*': 0.95; '*S*': 0.00; 'sorts': 0.04; 'wed,': 0.04; 'sure.': 0.05; 'function,': 0.07; 'content- type:multipart/signed': 0.09; 'library': 0.15; 'content- type:application/pgp-signature': 0.16; 'filename:fname piece:asc': 0.16; 'filename:fname piece:signature': 0.16; 'filename:fname:signature.asc': 0.16; 'foo,': 0.16; 'input.': 0.16; 'type...': 0.16; 'header:In-Reply-To:1': 0.22; 'chris': 0.27; 'control.': 0.31; 'strings.': 0.31; 'to:addr:python-list': 0.32; 'someone': 0.33; 'using': 0.34; 'think': 0.36; 'charset:us- ascii': 0.36; 'data': 0.37; 'issue': 0.37; 'apr': 0.38; 'user': 0.38; 'but': 0.38; 'no.': 0.38; 'anything': 0.38; 'set': 0.39; 'to:addr:python.org': 0.39; 'comes': 0.39; 'where': 0.39; 'received:de': 0.39; 'header:Mime-Version:1': 0.39; "it's": 0.40; 'header:Received:5': 0.40; 'received:95': 0.60; 'happen': 0.61; '2011': 0.62; 'database.': 0.69; '"user': 0.84; 'injection': 0.84; 'schrieb': 0.84; 'subject:over': 0.84 Date: Wed, 20 Apr 2011 11:41:21 +0200 From: Bastian Ballmann To: python-list@python.org Subject: Re: Pickling over a socket In-Reply-To: References: <61890800-f81a-4a1e-8905-a0237407f016@a21g2000prj.googlegroups.com> <7744bf8c-0df6-4dc9-a977-7234d571643f@r4g2000prm.googlegroups.com> <7a56699d-7387-49a0-8c4f-f794df43df00@22g2000prx.googlegroups.com> <20110420084431.0480aa41@chaostal.de> <20110420093419.4b83fe4b@chaostal.de> <20110420111723.2daf2437@chaostal.de> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/y8FsjlnDuqs0xGXJaqEFfVc"; protocol="application/pgp-signature" X-Virus-Scanned: Debian amavisd-new at lucy.chaostal.de X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 43 NNTP-Posting-Host: 82.94.164.166 X-Trace: 1303292503 news.xs4all.nl 81485 [::ffff:82.94.164.166]:52343 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:3672 --Sig_/y8FsjlnDuqs0xGXJaqEFfVc Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Am Wed, 20 Apr 2011 19:26:44 +1000 schrieb Chris Angelico : > Yes, but the other half of the issue is that you have to treat > anything that comes over the network as "user input", even if you > think it's from your own program that you control. Sure. =20 > Buffer overruns can happen in all sorts of places; SQL injection can > only happen where you talk to the database. And it IS just a matter of > using a magic auto-escape function, if your library is set up right - No. Not all data is strings. > Not at all; just never *trust* user input. Where thou typest foo, > someone someday will type... I never *trust* the user *blindly* as you do with your magic-escape-function so where do we disagree? Greets Basti --Sig_/y8FsjlnDuqs0xGXJaqEFfVc Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2uqkIACgkQEQHD8bvs9q2ZqQCfde7liCQCLPxQAWQFwKiEpU57 RDEAnjas0RhS9rK4BV40Ykm/0OndZ33z =42XK -----END PGP SIGNATURE----- --Sig_/y8FsjlnDuqs0xGXJaqEFfVc--