Message280119
> The gettext module might be vulnerable to f-string attacks
It is. See the example in the first comment:
gettext.c2py('f"{os.system(\'sh\')}"')(0)
This vulnerability seems to be solved in Xiang's patch. The DoS aspect is interesting though, since there's no constraints against malicious use of the power-operator, say "9**9**9**..**9". This too would be solved by implementing a parser with only simple arithmetics. |
|
Date |
User |
Action |
Args |
2016-11-05 18:00:32 | Carl Ekerot | set | recipients:
+ Carl Ekerot, loewis, christian.heimes, serhiy.storchaka, xiang.zhang |
2016-11-05 18:00:31 | Carl Ekerot | set | messageid: <1478368831.96.0.692466556365.issue28563@psf.upfronthosting.co.za> |
2016-11-05 18:00:31 | Carl Ekerot | link | issue28563 messages |
2016-11-05 18:00:31 | Carl Ekerot | create | |
|