Post
The 'multipart' #python library got an independent #security audit and I only know about that because they found something -> CVE-2026-28356
This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can now be really confident about the security of this library. Nice!
I would have never found this myself, because I would have had no reason to look for it. It's a single character typo in a regular expression that has no effect on the intended functionality, but leads to catastrophic backtracking when fed with malicious input. Why typo? Because the same pattern is used twice, and only one of them was bad.
The library has 100% test coverage, including malicious input scenarios. But for this kind of issues you'd need a fuzzer. Maybe I should look into #fuzzing?
This is a bonfire demo instance for testing purposes. This is not a production site. There are no backups for now. Data, including profiles may be wiped without notice. No service or other guarantees expressed or implied.
