gh-74616: Raise ValueError in case of NULL in input prompt

[kushaldas]

If the input prompt to the builtin input function has any NULL
character, then raise ValueError.

• Issue: input function truncates prompt by NULL byte #74616

[eryksun]

How about "input: prompt string cannot contain null characters"? "null" is more common in existing error messages, but "NUL" with one L is also used, since that's the ASCII name of character. NULL refers to the C pointer constant.

[kushaldas]

Sounds good, I will modify it for the same.

[serhiy-storchaka]

NULL means a null pointer in C. Use "a null character" for consistency with other documentation.

But actually I think this change doesn't need special mentioning in the documentation. This is just a bugfix. A null character is prohibited in many other APIs.

[kushaldas]

Okay, will remove this docs update.

[serhiy-storchaka]

This can raise an error.

[kushaldas]

Yup, I will do a check for NULL case.

[kushaldas]

actually I don't need this anymore for the change as mentioned the comment below.

[serhiy-storchaka]

Is readline history related to this issue? Does the test work if remove calls of set_auto_history and get_current_history_length?

[vadmium]

I suspect the readline module is not needed at all. Perhaps the test would be better off in test_builtin.py. There are already some tests there in the PtyTests class that call input on a terminal, so you may be able to use them for inspiration.

[terryjreedy]

This change, if general, introduces a regression. The doc for input(prompt) says "If the prompt argument is present, it is written to standard output without a trailing newline." The handling of the prompt is up to stdout.write and thence physical displays devices. Python does not specify what happens with any particular character, including \r, \t, and astral chars. [This is an abbreviation of my 2017-05-27 posts on the issue]

[brettcannon]

To try and help move older pull requests forward, we are going through and backfilling 'awaiting' labels on pull requests that are lacking the label. Based on the current reviews, the best we can tell in an automated fashion is that a core developer requested changes to be made to this pull request.

If/when the requested changes have been made, please leave a comment that says, I have made the requested changes; please review again. That will trigger a bot to flag this pull request as ready for a follow-up review.

[github-actions]

This PR is stale because it has been open for 30 days with no activity.

[github-actions]

This PR is stale because it has been open for 30 days with no activity.

[iritkatriel]

This change, if general, introduces a regression. The doc for input(prompt) says "If the prompt argument is present, it is written to standard output without a trailing newline." The handling of the prompt is up to stdout.write and thence physical displays devices. Python does not specify what happens with any particular character, including \r, \t, and astral chars. [This is an abbreviation of my 2017-05-27 posts on the issue]

@terryjreedy - are you saying that this PR should be rejected, or did I misunderstand?

[terryjreedy]

Yes, to me the patch is wrong. The doc still says "If the prompt argument is present, it is written to standard output without a trailing newline. " The issue OP, ghost, merely noted that the prompt was truncated. I believe 'ghost' wanted it to not be truncated. To me, raising instead of writing something is worse. It is not normal for Python to check strings for null. Print and sys.stdout.write and sys.stderr.write do not. From my testing of builtin functions, only the filename in open and compile is. The attr functions and int and iter do not.

Eryk says the prompt goes to stderr on terminals. If this is considered correct, then the doc should be changed.

[eryksun]

It is not normal for Python to check strings for null.

If a string is passed to C as a null-terminated string, ValueError should be raised if it contains embedded null characters. Allowing the string to get truncated arbitrarily is poorly defined behavior.

PyOS_Readline() in "Parser/myreadline.c" takes the prompt to write as a null-terminated string because that's what the GNU Readline API uses.

Print and sys.stdout.write and sys.stderr.write do not.

The underlying calls to POSIX write() and WinAPI WriteFile() and WriteConsoleW() require the number of data elements to write, so embedded null characters aren't a problem.

---

Eryk says the prompt goes to stderr on terminals. If this is considered correct, then the doc should be changed.

If sys.stdin and sys.stdout are terminal files and respectively the same OS files as the C stdin and stdout streams, then input() is implemented by PyOS_Readline().

The default implementation of PyOS_Readline() is PyOS_StdioReadline(), which writes the prompt to the C stderr stream¹. However, if the readline module is imported, then PyOS_Readline() typically uses GNU Readline on Unix systems. GNU Readline writes the prompt to stdout, not to stderr. Usually a script does not import the readline module.

You can examine the different behavior on a Unix system by executing a test script with the single line input('prompt: '). If you run it via python test.py 2>stderr.txt, the prompt will be written to "stderr.txt", and you won't have GNU Readline editing keys (e.g. home and end). If you run it via python -i test.py 2>stderr.txt, the prompt will be written to the terminal, and you'll have GNU Readline editing keys.

Footnotes

1. On Windows, if C stderr is a console file and legacy mode isn't enabled, we actually re-encode the prompt from UTF-8 to UTF-16 and write it directly to the console via WriteConsoleW(). ↩

[terryjreedy]

It would seem then that calling sys.stdout.write('prompt') (or sys.stderr? when appropriate?) and then PyOS_Readline(), with no prompt, would solve the truncation issue.

As for the destination, I am just suggesting adding 'or error' to the current doc to match the behavior.

[eryksun]

It would seem then that calling sys.stdout.write('prompt') (or sys.stderr? when appropriate?) and then PyOS_Readline(), with no prompt, would solve the truncation issue.

Unfortunately GNU Readline needs to be passed the prompt in order to set the margin for editing. Without it, for example, pressing the home key will move the cursor to the first column of the terminal instead of the first column after the prompt.

[serhiy-storchaka]

In Python interface to OS or other libraries an error is raised if the underlying function does not support embedded NULs (for example if it takes argument as a null-terminated string char*). In many cases the check is indirect (when use PyArg_Parse with the "s" format unit) or is embedded in other C API functions like PyUnicode_FSDecoder or PyUnicode_AsWideCharString, in other cases it is explicit.

And since the readline API accepts argument as null-terminated string, we should ensure that it does not contain embedded NULs.

[terryjreedy]

Eryk's cursor control (prompt avoidance) issue, which IDLE has now, convinced me to drop my objection to the code change.

[eryksun]

@serhiy-storchaka, do you think PyRun_InteractiveOneObjectEx() in "Python/pythonrun.c" should raise a warning if sys.ps1 or sys.ps2 contain embedded null characters? I don't think raising an error would be appropriate for the REPL.

[serhiy-storchaka]

Good question. Since PyRun_InteractiveOneObjectEx() already silences many errors (like absent or non-UTF8-encodable sys.ps1), it would not be much worse if it silently truncate or completely ignore sys.ps1 with a null character. In future it would be better to emit some warnings or error, but it is a different issue, and it is not particularly important in any case.

[github-actions]

This PR is stale because it has been open for 30 days with no activity.

The objection was dropped.