[Python-Dev] [Python-checkins] cpython (3.2): Issue #15445: Updated logging configuration documentation to highlight (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Thu Jul 26 03:03:05 CEST 2012
- Previous message: [Python-Dev] feature freeze questions
- Next message: [Python-Dev] Who's maintaining Sphinx nowadays?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Jul 26, 2012 at 4:20 AM, vinay.sajip <python-checkins at python.org> wrote:
+ .. note:: Because portions of the configuration are passed through + :func:
eval, use of this function may open its users to a security risk. + While the function only binds to a socket onlocalhost, and so does + not accept connections from remote machines, there are scenarios where + untrusted code could be run under the account of the process which calls + :func:listen. Specifically, if the process calling :func:listenruns + on a multi-user machine where users cannot trust each other, then a + malicious user could arrange to run essentially arbitrary code in a + victim user's process, simply by connecting to the victim's + :func:listensocket and sending a configuration which runs whatever + code the attacker wants to have executed in the victim's process. This is + especially easy to do if the default port is used, but not hard even if a + different port is used).
Looking at PEP 391, it appears it should be possible to replace the current use of eval() with a combination of the much safer ast.literal_eval() and the str.format attribute/item access micro-language.
Worth exploring for 3.4 (http://bugs.python.org/issue15452), as it would be better to actually try to close this attack vector rather than just documenting that it exists.
Cheers, Nick.
-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
- Previous message: [Python-Dev] feature freeze questions
- Next message: [Python-Dev] Who's maintaining Sphinx nowadays?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]