Message221394
Code such as this:
class Foo:
def __str__(self):
# Perhaps this value comes from user input, or
# some other unsafe source
return something_untrusted
def isidentifier(self):
# Perhaps it returns false in some esoteric case
# which we don't care about. Assume developer
# did not know about str.isidentifier() and
# the name clash is accidental.
return True
collections.namedtuple(Foo(), ())
...may result in arbitrary code execution. Since the collections documentation does not say that such things can happen, this could result in highly obscure security vulnerabilities. The easiest fix is to simply call str() on the typename argument to namedtuple(), as is currently done with the field_names argument. But IMHO this is like cleaning up an SQL injection with string sanitizing, instead of just switching to prepared statements. The "switch to prepared statements" route is conveniently available as a rejected patch for issue 3974.
The above code will not work as such in Python 2.7, but more elaborate shenanigans can fool the sanitizing in that version as well.
This issue was originally reported on security@python.org, where I was advised to file a bug report normally. |
|
Date |
User |
Action |
Args |
2014-06-24 03:52:23 | Kevin.Norris | set | recipients:
+ Kevin.Norris |
2014-06-24 03:52:23 | Kevin.Norris | set | messageid: <1403581943.09.0.462599950196.issue21832@psf.upfronthosting.co.za> |
2014-06-24 03:52:23 | Kevin.Norris | link | issue21832 messages |
2014-06-24 03:52:22 | Kevin.Norris | create | |
|