This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients The Compiler, pablogsal, serhiy.storchaka, vstinner, zach.ware
Date 2020-10-06.10:55:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1601981747.79.0.0237936862585.issue41944@roundup.psfhosted.org>
In-reply-to
Content 
> FWIW I found another place where a similar thing is done, though by chance it's probably not exploitable - see GH-22575.

I agree that test_ucn is not exploitable, but it would be nice to harden it anyway.

Extract of the code:

            self.assertEqual(unicodedata.lookup(seqname), codepoints)
            with self.assertRaises(SyntaxError):
                self.checkletter(seqname, None)

test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt and calls checkletter() on each line, but first it ensures that unicodedata.lookup(seqname) works as expected.

I don't see how it would be possible to inject arbitrary Python code in the 'seqname' variable without making unicodedata.lookup() to fail.
History
Date User Action Args
2020-10-06 10:55:47vstinnersetrecipients: + vstinner, zach.ware, serhiy.storchaka, The Compiler, pablogsal
2020-10-06 10:55:47vstinnersetmessageid: <1601981747.79.0.0237936862585.issue41944@roundup.psfhosted.org>
2020-10-06 10:55:47vstinnerlinkissue41944 messages
2020-10-06 10:55:47vstinnercreate