similar to SF bug 847019: a quick check in the time() constructor, which

accepts strings only for unpickling reasons.  This check prevents the honest
mistake of passing a string like '2:59.0' to time() and getting an insane
object.

diff --git a/Lib/test/test_datetime.py b/Lib/test/test_datetime.py
index 9abfb875b9a79554891a5dceb0c4a322d8168e9a..27f42c67902e535d54c91e21440f15a6f54abb09 100644 (file)
--- a/Lib/test/test_datetime.py
+++ b/Lib/test/test_datetime.py
@@ -1830,6 +1830,13 @@ class TestTime(HarmlessMixedComparison):
         self.assertEqual(dt1.isoformat(), dt2.isoformat())
         self.assertEqual(dt2.newmeth(-7), dt1.hour + dt1.second - 7)
 
+    def test_backdoor_resistance(self):
+        # see TestDate.test_backdoor_resistance().
+        base = '2:59.0'
+        for hour_byte in ' ', '9', chr(24), '\xff':
+            self.assertRaises(TypeError, self.theclass,
+                                         hour_byte + base[1:])
+
 # A mixin for classes with a tzinfo= argument.  Subclasses must define
 # theclass as a class atribute, and theclass(1, 1, 1, tzinfo=whatever)
 # must be legit (which is true for time and datetime).

diff --git a/Modules/datetimemodule.c b/Modules/datetimemodule.c
index 7c1a6d0c593759d109b6f1c5eb4e68514289169b..6b44fe505ea1a5befb18a2139caf7b5391c74fa0 100644 (file)
--- a/Modules/datetimemodule.c
+++ b/Modules/datetimemodule.c
@@ -3046,7 +3046,8 @@ time_new(PyTypeObject *type, PyObject *args, PyObject *kw)
        if (PyTuple_GET_SIZE(args) >= 1 &&
            PyTuple_GET_SIZE(args) <= 2 &&
            PyString_Check(state = PyTuple_GET_ITEM(args, 0)) &&
-           PyString_GET_SIZE(state) == _PyDateTime_TIME_DATASIZE)
+           PyString_GET_SIZE(state) == _PyDateTime_TIME_DATASIZE &&
+           ((unsigned char) (PyString_AS_STRING(state)[0])) < 24)
        {
                PyDateTime_Time *me;
                char aware;