Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

collections.namedtuple does questionable things when passed questionable arguments #66031

Closed
KevinNorris mannequin opened this issue Jun 24, 2014 · 7 comments
Closed

collections.namedtuple does questionable things when passed questionable arguments #66031

KevinNorris mannequin opened this issue Jun 24, 2014 · 7 comments
Assignees
@rhettinger
Labels
stdlib Python modules in the Lib dir

Comments

@KevinNorris
Copy link
Mannequin

KevinNorris mannequin commented Jun 24, 2014

BPO 21832
Nosy @rhettinger, @vstinner

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = 'https://github.com/rhettinger'
closed_at = <Date 2014-06-24.20:50:44.691>
created_at = <Date 2014-06-24.03:52:23.011>
labels = ['library']
title = 'collections.namedtuple does questionable things when passed questionable arguments'
updated_at = <Date 2014-06-25.01:13:39.992>
user = 'https://bugs.python.org/KevinNorris'

bugs.python.org fields:

activity = <Date 2014-06-25.01:13:39.992>
actor = 'python-dev'
assignee = 'rhettinger'
closed = True
closed_date = <Date 2014-06-24.20:50:44.691>
closer = 'rhettinger'
components = ['Library (Lib)']
creation = <Date 2014-06-24.03:52:23.011>
creator = 'Kevin.Norris'
dependencies = []
files = []
hgrepos = []
issue_num = 21832
keywords = []
message_count = 7.0
messages = ['221394', '221416', '221492', '221496', '221497', '221515', '221516']
nosy_count = 4.0
nosy_names = ['rhettinger', 'vstinner', 'python-dev', 'Kevin.Norris']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue21832'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']
@KevinNorris
Copy link
Mannequin Author

KevinNorris mannequin commented Jun 24, 2014

Code such as this:

    class Foo:
        def __str__(self):
            # Perhaps this value comes from user input, or
            # some other unsafe source
            return something_untrusted
        def isidentifier(self):
            # Perhaps it returns false in some esoteric case
            # which we don't care about. Assume developer
            # did not know about str.isidentifier() and
            # the name clash is accidental.
            return True
collections.namedtuple(Foo(), ())

...may result in arbitrary code execution. Since the collections documentation does not say that such things can happen, this could result in highly obscure security vulnerabilities. The easiest fix is to simply call str() on the typename argument to namedtuple(), as is currently done with the field_names argument. But IMHO this is like cleaning up an SQL injection with string sanitizing, instead of just switching to prepared statements. The "switch to prepared statements" route is conveniently available as a rejected patch for bpo-3974.

The above code will not work as such in Python 2.7, but more elaborate shenanigans can fool the sanitizing in that version as well.

This issue was originally reported on security@python.org, where I was advised to file a bug report normally.

@KevinNorris KevinNorris mannequin added the stdlib Python modules in the Lib dir label Jun 24, 2014
@vstinner
Copy link
Member

IMO we should rewrite the implementation of namedtuple to avoid completly eval(). But there is the problem of the _source attribute: bpo-19640.

@rhettinger rhettinger self-assigned this Jun 24, 2014
@rhettinger
Copy link
Contributor

ISTM that in order to run you code, a person already has to have the ability to run arbitrary code.

The purpose of the existing checks was to support the use-case where the field names are taken from the header line of CSV files.

I would be happy to add a test for exact string inputs but will not throw-out the current design which has a number of advantages including the ability to keep just the generated code and throw-away the factory function itself.

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 24, 2014

New changeset 30063f97a44d by Raymond Hettinger in branch '2.7':
bpo-21832: Require named tuple inputs to be exact strings
http://hg.python.org/cpython/rev/30063f97a44d

@rhettinger
Copy link
Contributor

I'll add the 3.4 and 3.5 as well plus a Misc/NEWS item shortly.

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 25, 2014

New changeset c238d2899d47 by Raymond Hettinger in branch '3.4':
bpo-21832: Require named tuple inputs to be exact strings
http://hg.python.org/cpython/rev/c238d2899d47

New changeset 5c60dd518182 by Raymond Hettinger in branch '3.4':
bpo-21832: Require named tuple inputs to be exact strings
http://hg.python.org/cpython/rev/5c60dd518182

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 25, 2014

New changeset 958e8bebda6d by Raymond Hettinger in branch '3.4':
Add news entry for bpo-21832
http://hg.python.org/cpython/rev/958e8bebda6d

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhettinger rhettinger

Labels
stdlib Python modules in the Lib dir
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vstinner @rhettinger