Message311562
A server that exposes arbitrary exec's to user-submitted data can already be controlled. exec can do anything that Python can do, that's the whole point. Sure, crashing Python is bad, but it could also keep Python alive and start dumping the database to arbitrary people, deleting files, etc.
Also, your Proof of Concept code is cluttered with pointless garbage AFAICT. Do you really need all the unused multiline strings to trigger this? |
|
Date |
User |
Action |
Args |
2018-02-03 17:20:41 | josh.r | set | recipients:
+ josh.r, hadimene |
2018-02-03 17:20:41 | josh.r | set | messageid: <1517678441.02.0.467229070634.issue32757@psf.upfronthosting.co.za> |
2018-02-03 17:20:41 | josh.r | link | issue32757 messages |
2018-02-03 17:20:40 | josh.r | create | |
|