[security] bpo-13617: Reject embedded null characters in wchar* strings. (#2302)
Based on patch by Victor Stinner.
Add private C API function _PyUnicode_AsUnicode() which is similar to
PyUnicode_AsUnicode(), but checks for null characters.
diff --git a/Lib/test/test_curses.py b/Lib/test/test_curses.py
index 3d8c50b..0d0b160 100644
--- a/Lib/test/test_curses.py
+++ b/Lib/test/test_curses.py
@@ -81,7 +81,7 @@
win2 = curses.newwin(15,15, 5,5)
for meth in [stdscr.addch, stdscr.addstr]:
- for args in [('a'), ('a', curses.A_BOLD),
+ for args in [('a',), ('a', curses.A_BOLD),
(4,4, 'a'), (5,5, 'a', curses.A_BOLD)]:
with self.subTest(meth=meth.__qualname__, args=args):
meth(*args)
@@ -194,6 +194,15 @@
self.assertRaises(ValueError, stdscr.instr, -2)
self.assertRaises(ValueError, stdscr.instr, 2, 3, -2)
+ def test_embedded_null_chars(self):
+ # reject embedded null bytes and characters
+ stdscr = self.stdscr
+ for arg in ['a', b'a']:
+ with self.subTest(arg=arg):
+ self.assertRaises(ValueError, stdscr.addstr, 'a\0')
+ self.assertRaises(ValueError, stdscr.addnstr, 'a\0', 1)
+ self.assertRaises(ValueError, stdscr.insstr, 'a\0')
+ self.assertRaises(ValueError, stdscr.insnstr, 'a\0', 1)
def test_module_funcs(self):
"Test module-level functions"