Message146678
Hi,
I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this:
msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")
As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue.
Regards,
--
David |
|
Date |
User |
Action |
Args |
2011-10-31 09:18:16 | izi | set | recipients:
+ izi |
2011-10-31 09:18:16 | izi | set | messageid: <1320052696.17.0.926291745102.issue13301@psf.upfronthosting.co.za> |
2011-10-31 09:18:15 | izi | link | issue13301 messages |
2011-10-31 09:18:15 | izi | create | |
|