Message280048
It doesn't solve the case when an identifier or number is used as a function:
>>> import os
>>> gettext.c2py("n()")(lambda: os.system("sh"))
$
0
>>> gettext.c2py("1()")(0)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <lambda>
TypeError: 'int' object is not callable
This is more of an unintended behavior than a security issue.
Xiang Zhang: I've created a patch based on yours which handles the above case. I've also added a corresponding test case.
Imo it would be even better if we could avoid eval. One possible (and safe) way would be to construct a safe subset of Python using the ast module. This would however still require that the C-style syntax is translated to Python. As you mention, there are issues parsing and translating nested ternary operators, and I doubt it will be possible to cover all cases with the regex replace utilized today. |
|
Date |
User |
Action |
Args |
2016-11-04 15:05:47 | Carl Ekerot | set | recipients:
+ Carl Ekerot, loewis, serhiy.storchaka, xiang.zhang |
2016-11-04 15:05:47 | Carl Ekerot | set | messageid: <1478271947.28.0.595157506036.issue28563@psf.upfronthosting.co.za> |
2016-11-04 15:05:47 | Carl Ekerot | link | issue28563 messages |
2016-11-04 15:05:46 | Carl Ekerot | create | |
|