classification
Title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Type: security Stage: resolved
Components: Demos and Tools Versions: Python 3.4, Python 3.2, Python 3.3, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: ezio.melotti Nosy List: barry, benjamin.peterson, eric.araujo, ezio.melotti, georg.brandl, izi, petri.lehtinen, python-dev, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2011-10-31 09:18 by izi, last changed 2012-11-09 10:53 by ezio.melotti. This issue is now closed.

Files
File name Uploaded Description Edit
msgfmt.py.diff izi, 2011-10-31 09:18 Patch that replaces the eval() call review
msgfmt.py.diff.update1.diff izi, 2011-10-31 10:02 Handle unescaped quote at the beginning of the string review
msgfmt_literal_eval.patch serhiy.storchaka, 2012-11-01 20:18 Use the literal_eval, Luke! review
Messages (8)
msg146678 - (view) Author: David Jean Louis (izi) Date: 2011-10-31 09:18
Hi, 

I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this:

msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")

As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue.

Regards,

-- 
David
msg146680 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2011-10-31 09:58
This should be fixed; the patch doesn't seem correct though, it doesn't handle escapes like eval() would.
msg146681 - (view) Author: David Jean Louis (izi) Date: 2011-10-31 10:02
I'm adding an updated patch that also handles unescaped double quote at the beginning of the string.
msg146683 - (view) Author: David Jean Louis (izi) Date: 2011-10-31 10:06
Hmm, I missed your previous message, indeed, unescaping is not handled by this patch, sorry about that. Here's how it is handled in polib:
https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206
msg173202 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2012-10-17 20:22
The patch does not unquote strings ("spam\n" is interpreted as r"spam\n") and allows invalid entry such as "\\" or boo.
msg174470 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2012-11-01 20:18
Here is a more simpler patch.  Please approve, it's a really trivial patch.
msg175219 - (view) Author: Roundup Robot (python-dev) Date: 2012-11-09 10:52
New changeset 058ff991bdcb by Ezio Melotti in branch '2.7':
#13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py.  Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/058ff991bdcb

New changeset 2fa338374719 by Ezio Melotti in branch '3.2':
#13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py.  Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/2fa338374719

New changeset ea2cb9b69fd9 by Ezio Melotti in branch '3.3':
#13301: merge with 3.2.
http://hg.python.org/cpython/rev/ea2cb9b69fd9

New changeset aa02f7be68f6 by Ezio Melotti in branch 'default':
#13301: merge with 3.3.
http://hg.python.org/cpython/rev/aa02f7be68f6
msg175220 - (view) Author: Ezio Melotti (ezio.melotti) * (Python committer) Date: 2012-11-09 10:53
Fixed, thanks for the patch!
History
Date User Action Args
2012-11-09 10:53:39ezio.melottisetstatus: open -> closed
messages: + msg175220

assignee: ezio.melotti
resolution: fixed
stage: patch review -> resolved
2012-11-09 10:52:15python-devsetnosy: + python-dev
messages: + msg175219
2012-11-01 20:18:11serhiy.storchakasetfiles: + msgfmt_literal_eval.patch

messages: + msg174470
stage: needs patch -> patch review
2012-10-17 20:22:16serhiy.storchakasetversions: + Python 3.4
nosy: + serhiy.storchaka

messages: + msg173202

stage: patch review -> needs patch
2011-10-31 16:09:46eric.araujosetnosy: + eric.araujo

versions: - Python 2.6, Python 3.1, Python 3.4
2011-10-31 10:06:23izisetmessages: + msg146683
2011-10-31 10:02:40izisetfiles: + msgfmt.py.diff.update1.diff

messages: + msg146681
versions: + Python 2.6, Python 3.1, Python 3.4
2011-10-31 09:58:49georg.brandlsetmessages: + msg146680
2011-10-31 09:34:06petri.lehtinensetnosy: + petri.lehtinen
2011-10-31 09:30:27ezio.melottisetnosy: + barry, georg.brandl, benjamin.peterson, ezio.melotti
stage: patch review

versions: - Python 2.6, Python 3.1, Python 3.4
2011-10-31 09:18:15izicreate