Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gettext: DoS via crafted Plural-Forms #62517

Closed
jwilk mannequin opened this issue Jun 27, 2013 · 9 comments
Closed

gettext: DoS via crafted Plural-Forms #62517

jwilk mannequin opened this issue Jun 27, 2013 · 9 comments
Labels
3.7 (EOL) end of life stdlib Python modules in the Lib dir type-security A security issue

Comments

@jwilk
Copy link
Mannequin

jwilk mannequin commented Jun 27, 2013

BPO 18317
Nosy @warsaw, @pitrou, @tiran, @benjaminp, @jwilk, @serhiy-storchaka
Superseder
  • bpo-28563: Arbitrary code execution in gettext.c2py
    		•
    Files
  • testcase.mo
  • testcase.py
  • 18317_gettext.patch
  • 18317_gettext2.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2016-11-08.19:32:58.506>
created_at = <Date 2013-06-27.22:01:26.289>
labels = ['type-security', '3.7', 'library']
title = 'gettext: DoS via crafted Plural-Forms'
updated_at = <Date 2016-11-08.19:32:58.504>
user = 'https://github.com/jwilk'

    bugs.python.org fields:

    activity = <Date 2016-11-08.19:32:58.504>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2016-11-08.19:32:58.506>
closer = 'serhiy.storchaka'
components = ['Library (Lib)']
creation = <Date 2013-06-27.22:01:26.289>
creator = 'jwilk'
dependencies = []
files = ['30715', '30716', '30721', '30725']
hgrepos = []
issue_num = 18317
keywords = ['patch']
message_count = 9.0
messages = ['191963', '191968', '191969', '191972', '191980', '191981', '191983', '191995', '280338']
nosy_count = 6.0
nosy_names = ['barry', 'pitrou', 'christian.heimes', 'benjamin.peterson', 'jwilk', 'serhiy.storchaka']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = '28563'
type = 'security'
url = 'https://bugs.python.org/issue18317'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7']
    @jwilk
    Copy link
    Mannequin Author

    jwilk mannequin commented Jun 27, 2013

    It is possible to craft a MO file with Plural-Forms taking arbitrary amounts of CPU and memory to evaluate. A test case is attached.

    I realize that opening unstrusted MO files is a rather unusual use case, but the module already contains some code to protect againt malicious Plural-Forms, so I thought you might want to fix this problem as well.

    @jwilk jwilk mannequin added stdlib Python modules in the Lib dir type-security A security issue labels Jun 27, 2013
    @tiran
    Copy link
    Member

    tiran commented Jun 27, 2013

    Thanks,

    can you please provide the PO file, too? Or did you construct the MO file manually?

    @tiran
    Copy link
    Member

    tiran commented Jun 27, 2013

    Ah, I see what you are doing. Nice catch!

    Plural-Forms: nplurals=0; plural=42**42**42;

    The plural form gets parsed by gettext.c2py() and eventually turned into a lambda that executes int(42**42**42). Perhaps a custom AST visitor could be used to filter out dangerous ops and limit the amount of ops to a sane amount?

    @benjaminp
    Copy link
    Contributor

    Why do we have "support" for untrusted MO files?

    @pitrou
    Copy link
    Member

    pitrou commented Jun 28, 2013

    I would rather ask: why do we eval() MO files?

    @tiran
    Copy link
    Member

    tiran commented Jun 28, 2013

    We don't eval() the whole MO file. It's just the pluralization formula, http://www.gnu.org/software/gettext/manual/gettext.html#index-nplurals_0040r_007b_002c-in-a-PO-file-header_007d-1093

    The patch uses ast.NodeVisitor to look for dangerous code.

    @jwilk
    Copy link
    Mannequin Author

    jwilk mannequin commented Jun 28, 2013

    Making token filtering more thorough may be simpler that going through AST.

    I think Python should accept all the operators that GNU gettext accepts:
    http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y?id=v0.18.2.1#n132

    @tiran
    Copy link
    Member

    tiran commented Jun 28, 2013

    Thanks for the link plural.y! I was looking for a C file, not a YACC file.

    The AST approach has advantages over tokenizing. The tokenizer returns just symbols but the AST has also context information. It makes it much easier to distinguish between unary - and binary -. Gettext supports substraction but doesn't allow negative numbers.

    Python's gettext is not as strict as GNU gettext. For 3.4 I like to forbid oct and hex numbers, too.

    @tiran tiran added the 3.7 (EOL) end of life label Sep 8, 2016
    @serhiy-storchaka
    Copy link
    Member

    The DoS as well as other flaws is fixed in bpo-28563 by implementing a complete parser for GNU gettext plural form expressions.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @benjaminp @tiran @pitrou @serhiy-storchaka