Message378111
> FWIW I found another place where a similar thing is done, though by chance it's probably not exploitable - see GH-22575.
I agree that test_ucn is not exploitable, but it would be nice to harden it anyway.
Extract of the code:
self.assertEqual(unicodedata.lookup(seqname), codepoints)
with self.assertRaises(SyntaxError):
self.checkletter(seqname, None)
test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt and calls checkletter() on each line, but first it ensures that unicodedata.lookup(seqname) works as expected.
I don't see how it would be possible to inject arbitrary Python code in the 'seqname' variable without making unicodedata.lookup() to fail. |
|
Date |
User |
Action |
Args |
2020-10-06 10:55:47 | vstinner | set | recipients:
+ vstinner, zach.ware, serhiy.storchaka, The Compiler, pablogsal |
2020-10-06 10:55:47 | vstinner | set | messageid: <1601981747.79.0.0237936862585.issue41944@roundup.psfhosted.org> |
2020-10-06 10:55:47 | vstinner | link | issue41944 messages |
2020-10-06 10:55:47 | vstinner | create | |
|