bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests by The-Compiler · Pull Request #22575 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation4 Commits1 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

The-Compiler

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

https://bugs.python.org/issue41944

@The-Compiler

…UnicodeNames tests

Similarly to GH-22566, those tests called eval() on content received via HTTP in test_named_sequences_full. This likely isn't exploitable because unicodedata.lookup(seqname) is called before self.checkletter(seqname, None) - thus any string which isn't a valid unicode character name wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

vstinner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

The test is still run and still pass:

$ ./python -m test -u all test_ucn -v
(...)
test_named_sequences_full (test.test_ucn.UnicodeNamesTest) ...
    fetching http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt ...
ok
(...)
Tests result: SUCCESS

@vstinner

serhiy-storchaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

literal_eval() is not a "safe eval", but in this case it does not make worse.

@vstinner

shihai1991 added a commit to shihai1991/cpython that referenced this pull request

Oct 9, 2020

@shihai1991

xzy3 pushed a commit to xzy3/cpython that referenced this pull request

Oct 18, 2020

@The-Compiler

…UnicodeNames tests (pythonGH-22575)

Similarly to pythonGH-22566, those tests called eval() on content received via HTTP in test_named_sequences_full. This likely isn't exploitable because unicodedata.lookup(seqname) is called before self.checkletter(seqname, None) - thus any string which isn't a valid unicode character name wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.