This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Kevin.Norris
Recipients Kevin.Norris
Date 2014-06-24.03:52:22
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1403581943.09.0.462599950196.issue21832@psf.upfronthosting.co.za>
In-reply-to
Content 
Code such as this:

    class Foo:
        def __str__(self):
            # Perhaps this value comes from user input, or
            # some other unsafe source
            return something_untrusted
        def isidentifier(self):
            # Perhaps it returns false in some esoteric case
            # which we don't care about. Assume developer
            # did not know about str.isidentifier() and
            # the name clash is accidental.
            return True

    collections.namedtuple(Foo(), ())

...may result in arbitrary code execution.  Since the collections documentation does not say that such things can happen, this could result in highly obscure security vulnerabilities.  The easiest fix is to simply call str() on the typename argument to namedtuple(), as is currently done with the field_names argument.  But IMHO this is like cleaning up an SQL injection with string sanitizing, instead of just switching to prepared statements.  The "switch to prepared statements" route is conveniently available as a rejected patch for issue 3974.

The above code will not work as such in Python 2.7, but more elaborate shenanigans can fool the sanitizing in that version as well.

This issue was originally reported on security@python.org, where I was advised to file a bug report normally.
History
Date User Action Args
2014-06-24 03:52:23Kevin.Norrissetrecipients: + Kevin.Norris
2014-06-24 03:52:23Kevin.Norrissetmessageid: <1403581943.09.0.462599950196.issue21832@psf.upfronthosting.co.za>
2014-06-24 03:52:23Kevin.Norrislinkissue21832 messages
2014-06-24 03:52:22Kevin.Norriscreate