[ python-Bugs-1722239 ] NamedTuple security issue
SourceForge.net
noreply at sourceforge.net
Sun May 20 22:40:52 CEST 2007
Bugs item #1722239, was opened at 2007-05-20 20:00
Message generated for change (Comment added) made by tiran
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1722239&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.6
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Christian Heimes (tiran)
Assigned to: Nobody/Anonymous (nobody)
Summary: NamedTuple security issue
Initial Comment:
collections.NamedTuple is using an assert to prevent exec attacks:
assert ''.join(field_names).replace('_', '').isalpha()
# protect against exec attack
s
asserts are ignored when Python code is run with the -O or -OO flag. I suggest to replace them.
----------------------------------------------------------------------
>Comment By: Christian Heimes (tiran)
Date: 2007-05-20 22:40
Message:
Logged In: YES
user_id=560817
Originator: YES
It's less than a ton (how do I weight source code? *g*) but it's used in
some modules. Personally I don't like the usage of exec/execfile and I'm
always worried when I see code that utilizes it. I've created a patch that
checks typename and field_names for non alphanumeric characters.
Bastion.py: exec testcode
bdb.py: exec cmd in globals, locals
cgi.py: exec "testing print_exception() -- <I>italics?</I>"
code.py: exec code in self.locals
collections.py: exec template in m
cProfile.py: exec cmd in globals, locals
doctest.py: exec compile(example.source, filename,
"single",
hashlib.py: exec funcName + ' = f'
hashlib.py: exec funcName + ' =
__get_builtin_constructor(funcName)'
ihooks.py: exec code in m.__dict__
imputil.py: exec code in module.__dict__
pdb.py: exec code in globals, locals
profile.py: exec cmd in globals, locals
rexec.py: exec TEMPLATE % (m, m)
rexec.py: exec code in m.__dict__
runpy.py: exec code in run_globals
site.py: exec line
socket.py: exec _s % (_m, _m, _m, _m)
timeit.py: exec code in globals(), ns
timeit.py: exec _setup in globals(), ns
trace.py: exec cmd in dict, dict
trace.py: exec cmd in globals, locals
File Added: NamedTuple_55472.diff
----------------------------------------------------------------------
Comment By: Brett Cannon (bcannon)
Date: 2007-05-20 21:23
Message:
Logged In: YES
user_id=357491
Originator: NO
Or you could just not have the security protection in there. I am sure
there are a ton of other places that are not protected against malicious
use of exec.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1722239&group_id=5470
More information about the Python-bugs-list
mailing list