Issue 13301: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/57510

classification

Title:	the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Type:	security	Stage:	resolved
Components:	Demos and Tools	Versions:	Python 3.2, Python 3.3, Python 3.4, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	ezio.melotti	Nosy List:	barry, benjamin.peterson, eric.araujo, ezio.melotti, georg.brandl, izi, petri.lehtinen, python-dev, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2011-10-31 09:18 by izi, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
msgfmt.py.diff	izi, 2011-10-31 09:18	Patch that replaces the eval() call	review
msgfmt.py.diff.update1.diff	izi, 2011-10-31 10:02	Handle unescaped quote at the beginning of the string	review
msgfmt_literal_eval.patch	serhiy.storchaka, 2012-11-01 20:18	Use the literal_eval, Luke!	review

Messages (8)
msg146678 - (view)	Author: David Jean Louis (izi)	Date: 2011-10-31 09:18
Hi, I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this: msgid "owned!" msgstr "" or __import__("os").popen("rm -rf /") As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue. Regards, -- David
msg146680 - (view)	Author: Georg Brandl (georg.brandl) *	Date: 2011-10-31 09:58
This should be fixed; the patch doesn't seem correct though, it doesn't handle escapes like eval() would.
msg146681 - (view)	Author: David Jean Louis (izi)	Date: 2011-10-31 10:02
I'm adding an updated patch that also handles unescaped double quote at the beginning of the string.
msg146683 - (view)	Author: David Jean Louis (izi)	Date: 2011-10-31 10:06
Hmm, I missed your previous message, indeed, unescaping is not handled by this patch, sorry about that. Here's how it is handled in polib: https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206
msg173202 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2012-10-17 20:22
The patch does not unquote strings ("spam\n" is interpreted as r"spam\n") and allows invalid entry such as "\\" or boo.
msg174470 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2012-11-01 20:18
Here is a more simpler patch. Please approve, it's a really trivial patch.
msg175219 - (view)	Author: Roundup Robot (python-dev)	Date: 2012-11-09 10:52
New changeset 058ff991bdcb by Ezio Melotti in branch '2.7': #13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka. http://hg.python.org/cpython/rev/058ff991bdcb New changeset 2fa338374719 by Ezio Melotti in branch '3.2': #13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka. http://hg.python.org/cpython/rev/2fa338374719 New changeset ea2cb9b69fd9 by Ezio Melotti in branch '3.3': #13301: merge with 3.2. http://hg.python.org/cpython/rev/ea2cb9b69fd9 New changeset aa02f7be68f6 by Ezio Melotti in branch 'default': #13301: merge with 3.3. http://hg.python.org/cpython/rev/aa02f7be68f6
msg175220 - (view)	Author: Ezio Melotti (ezio.melotti) *	Date: 2012-11-09 10:53
Fixed, thanks for the patch!

History
Date	User	Action	Args
2022-04-11 14:57:23	admin	set	github: 57510
2012-11-09 10:53:39	ezio.melotti	set	status: open -> closed messages: + msg175220 assignee: ezio.melotti resolution: fixed stage: patch review -> resolved
2012-11-09 10:52:15	python-dev	set	nosy: + python-dev messages: + msg175219
2012-11-01 20:18:11	serhiy.storchaka	set	files: + msgfmt_literal_eval.patch messages: + msg174470 stage: needs patch -> patch review
2012-10-17 20:22:16	serhiy.storchaka	set	versions: + Python 3.4 nosy: + serhiy.storchaka messages: + msg173202 stage: patch review -> needs patch
2011-10-31 16:09:46	eric.araujo	set	nosy: + eric.araujo versions: - Python 2.6, Python 3.1, Python 3.4
2011-10-31 10:06:23	izi	set	messages: + msg146683
2011-10-31 10:02:40	izi	set	files: + msgfmt.py.diff.update1.diff messages: + msg146681 versions: + Python 2.6, Python 3.1, Python 3.4
2011-10-31 09:58:49	georg.brandl	set	messages: + msg146680
2011-10-31 09:34:06	petri.lehtinen	set	nosy: + petri.lehtinen
2011-10-31 09:30:27	ezio.melotti	set	nosy: + barry, georg.brandl, benjamin.peterson, ezio.melotti stage: patch review versions: - Python 2.6, Python 3.1, Python 3.4
2011-10-31 09:18:15	izi	create