Message 146678 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	izi
Recipients	izi
Date	2011-10-31.09:18:14
SpamBayes Score	4.4740145e-07
Marked as misclassified	No
Message-id	<1320052696.17.0.926291745102.issue13301@psf.upfronthosting.co.za>
In-reply-to

Content
Hi, I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this: msgid "owned!" msgstr "" or __import__("os").popen("rm -rf /") As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue. Regards, -- David

Hi, 

I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this:

msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")

As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue.

Regards,

-- 
David

History
Date	User	Action	Args
2011-10-31 09:18:16	izi	set	recipients: + izi
2011-10-31 09:18:16	izi	set	messageid: <1320052696.17.0.926291745102.issue13301@psf.upfronthosting.co.za>
2011-10-31 09:18:15	izi	link	issue13301 messages
2011-10-31 09:18:15	izi	create