Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <nicholas.cole@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.002
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; '(at': 0.04; 'languages,': 0.04; 'static': 0.04; 'python)': 0.05; 'bug.': 0.09; 'thrown': 0.09; 'useless': 0.09; 'cc:addr:python-list': 0.11; 'def': 0.12; 'bug': 0.12; '(written': 0.16; 'ie.': 0.16; 'intended.': 0.16; 'it),': 0.16; 'roy': 0.16; 'statement.': 0.16; 'unreachable': 0.16; 'wrote:': 0.18; "python's": 0.19; 'stefan': 0.19; 'written': 0.21; 'code,': 0.22; 'programming': 0.22; 'import': 0.22; 'rules': 0.22; 'cc:addr:python.org': 0.22; 'url:02': 0.24; "haven't": 0.24; 'looks': 0.24; 'cc:2**0': 0.24; 'mention': 0.26; 'header:In-Reply-To:1': 0.27; 'raise': 0.29; "doesn't": 0.30; 'message-id:@mail.gmail.com': 0.30; 'code': 0.31; 'accidentally': 0.31; 'indentation': 0.31; 'quite': 0.32; 'subject:the': 0.34; 'anybody': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'url:org': 0.36; 'two': 0.37; 'list': 0.37; 'being': 0.38; 'pm,': 0.38; 'recent': 0.39; 'how': 0.40; 'even': 0.60; 'reviewed': 0.60; 'save': 0.62; 'such': 0.63; 'become': 0.64; 'more': 0.64; 'due': 0.66; 'mar': 0.68; 'smith': 0.68; 'obvious': 0.74; 'saw': 0.77; 'article': 0.77; 'actually,': 0.84; 'obvious.': 0.84; 'url:2014': 0.84; 'us?': 0.84
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4fGKUvrEhWtQMz+HxTVcQedN+7Nvi6p2YBst2uv3Z8k=; b=C7liNP5dtsR72akkxGyxcGWuvYXeT9+N6GBGIBpBTweNIorj2tDerDXOUJTYP6Mx8t OXxN61K8F68sCKMr3UGuffqaD2QTj8GTsYRmIzqn4tJn64dKwzhUlbZUFzICCbydEXDZ lXxbymIze41QsOllMWP/Oe6rB5wuCB9sw9alRnCe0/C61I4lB6JTxY4aAgFbZMUW/t4t IXQ31YGRTXgbW89eDUIvfpZZ1fE4ca9vuhO7C3SMOSbXAGPTtHPr4EACx3abFIcaIb7o VS7AP107S37H27WN1Sfc1JhK/AygVm0JyC15ImBWPVX26c6UKaoUaBF3q1XI8RFBFWZH czmg==
MIME-Version: 1.0
X-Received: by 10.15.26.199 with SMTP id n47mr34954587eeu.30.1393787322569; Sun, 02 Mar 2014 11:08:42 -0800 (PST)
In-Reply-To: <roy-3F8596.09385002032014@news.panix.com>
References: <mailman.7568.1393756930.18130.python-list@python.org> <roy-3F8596.09385002032014@news.panix.com>
Date: Sun, 2 Mar 2014 19:08:42 +0000
Subject: Re: why indentation should be part of the syntax
From: Nicholas Cole <nicholas.cole@gmail.com>
To: Roy Smith <roy@panix.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Python <python-list@python.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7589.1393787329.18130.python-list@python.org>
Lines: 42
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393787329 news.xs4all.nl 2897 [2001:888:2000:d::a6]:55650
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67459

On Sun, Mar 2, 2014 at 2:38 PM, Roy Smith <roy@panix.com> wrote:
> In article <mailman.7568.1393756930.18130.python-list@python.org>,
>  Stefan Behnel <stefan_ml@behnel.de> wrote:
>
>> Haven't seen any mention of it on this list yet, but since it's such an
>> obvious flaw in quite a number of programming languages, here's a good
>> article on the recent security bug in iOS, which was due to accidentally
>> duplicated code not actually being as indented as it looked:
>>
>> https://www.imperialviolet.org/2014/02/22/applebug.html
>>
>> Stefan
>
> Hogwash.  What this looks like is two gotos in a row.  Anybody who
> reviewed this code would have thrown up a red flag when they saw two
> gotos in a row.  If anything, the "incorrect" indentation makes it even
> more obvious.  Any static code analyzer would have also caught this as
> an unreachable statement.
>
> Paraphrasing this into Python, you get:
>
> def bogus():
>     if SSLHashSHA1.update(hashCtx, serverRandom) != 0:
>         raise fail
>     if SSLHashSHA1.update(hashCtx, signedParams) != 0:
>         raise fail
>         raise fail
>     if SSLHashSHA1.final(hashCtx, hashOut) != 0:
>         raise fail
>
> which is syntactically valid (at least, I can import it), but clearly
> not what the author intended.  So how did Python's indentation rules
> save us?

Actually, that's incorrect.  The bug (written in Python) would have been:

if SSLHashSHA1.update(hashCtx, signedParams) != 0:
    raise fail
raise fail # ie. no indent.

If written with the indent, it's a useless line of code, but it
doesn't become a bug.