ericwb
commented
5 months ago Before fix (scanning cpython):
real 1m2.749s
user 1m1.246s
sys 0m0.442sAfter fix:
real 0m50.999s
user 0m49.539s
sys 0m0.388sClosed ericwb closed 5 months ago
ericwb
commented
5 months ago Before fix (scanning cpython):
real 1m2.749s
user 1m1.246s
sys 0m0.442sAfter fix:
real 0m50.999s
user 0m49.539s
sys 0m0.388sMerging, as this is a dependency for approved PR #1149
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*).
This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive.
The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed.
Fixes: #438