Skip to content

fix: convert to cstrings in PyString::from_object #5008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidhewitt merged 1 commit into from
Mar 28, 2025
Merged

fix: convert to cstrings in PyString::from_object #5008

davidhewitt merged 1 commit into from
Mar 28, 2025

Conversation

@Dr-Emann
Copy link
Contributor

@Dr-Emann Dr-Emann commented Mar 26, 2025

fixes #5005

This only fixes the API, and adds a test of the API, it does not deprecate the API or introduce a version which takes &CStr directly, this can be done later.

@Dr-Emann
fix: convert to cstrings in PyString::from_object
36be975 
fixes PyO3#5005

This only fixes the API, and adds a test of the API, it does not
deprecate the API or introduce a version which takes `&CStr` directly,
this can be done later.
davidhewitt
davidhewitt approved these changes Mar 28, 2025
View reviewed changes
Copy link
Member

@davidhewitt davidhewitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@davidhewitt davidhewitt added this pull request to the merge queue Mar 28, 2025
Merged via the queue into PyO3:main with commit 5caaa37 Mar 28, 2025
48 checks passed
@davidhewitt davidhewitt mentioned this pull request Mar 28, 2025
Merged
@Wumpf
Copy link

Wumpf commented Apr 1, 2025
edited
Loading

@davidhewitt thank you so much for releasing this so timely in a patch release! Do you plan on backporting this to the 0.23.x line as well? I'd like to update to 0.24.x but we also depend on arrow-rs which only recently moved their main branch to 0.24, so stuck on 0.23.x for the moment.

@mejrs
Copy link
Member

mejrs commented Apr 1, 2025

@davidhewitt thank you so much for releasing this so timely in a patch release! Do you plan on backporting this to the 0.23.x line as well? I'd like to update to 0.24.x but we also depend on arrow-rs which only recently moved their main branch to 0.24, so stuck on 0.23.x for the moment.

I don't see why not, but note that you can safely use this api if you take care to null terminate the string yourself, like "utf-8\0".

@emilk emilk mentioned this pull request Apr 1, 2025
Merged
emilk added a commit to rerun-io/rerun that referenced this pull request Apr 1, 2025
@emilk
Silence pyo3 RUSTSEC since we cannot address it right now (#9448)
7363f05 
# Related
* RUSTSEC: https://rustsec.org/advisories/RUSTSEC-2025-0020
* We are waiting for apache/arrow-rs#7324 to
make it into Rerun
* See also
PyO3/pyo3#5008 (comment)
* See also
https://rerunio.slack.com/archives/C05694LC2EQ/p1743501811036759
@davidhewitt
Copy link
Member

davidhewitt commented Apr 4, 2025

As per #5005 (comment), I was not planning to backport. I suspect that almost nobody was using this API, hence why it was broken for so long, so I think the ecosystem risk is low.

peterhj pushed a commit to peterhj/pyo3 that referenced this pull request May 20, 2025
Backport PyO3#5008.
388b751
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex approved these changes

@davidhewitt davidhewitt davidhewitt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PyString::from_object does not convert rust strings to c-strings before calling FFI, causing OOB reads

5 participants

@Dr-Emann @Wumpf @mejrs @davidhewitt @alex