The Case Against Python 3

Steve D'Aprano steve+python at pearwood.info
Sat Nov 26 20:19:08 EST 2016 

On Sun, 27 Nov 2016 11:25 am, Chris Angelico wrote:

> On Sun, Nov 27, 2016 at 11:13 AM, Steve D'Aprano
> <steve+python at pearwood.info> wrote:
>> So-called f-strings haven't even hit the  already been implicated in a
>> code-injection vulnerability:
>>
>> http://bugs.python.org/issue28563
>>
>> I feel kind of vindicated here, because when so-called f-strings were
>> first proposed I asked about the security implication of another way of
>> evaluating arbitrary expressions, and I was told that there were no
>> security implications. Technically that might be true in the sense that
>> f-strings don't do anything that wasn't already possible, but as the
>> above bug shows, they can make exploiting code injection trivially easy
>> in cases where they were previously diabolically hard.
> 
> Given that the exploit exists in 2.7, I would say f-strings didn't
> create this, eval did. 

I never said that f-strings caused the vulnerability. I choose my words
carefully. As I said when I mentioned this issue three weeks ago, the
underlying cause of the vulnerability is the use of eval on an untrusted
string. But the existence of a theoretical vulnerability is not the same as
an exploit, let alone an easy exploit.


> The problem is that you absolutely CANNOT 
> "sanitize" something before giving it to eval.

Be careful about making absolute claims. I challenge you to break this use
of eval:

def calculate(phrase):
    try:
        phrase = sanitize(phrase)
    except ValueError:
        return
    return eval(phrase, {'x': 20})

    
def sanitize(phrase):
    phrase = phrase.replace(' ', '')
    if phrase in ('x+1', '2*x'):
        return phrase
    raise ValueError('unsafe phrase')


For a more practical example, namedtuple uses exec to dynamically build the
class. Can you find a code injection attack in namedtuple? I doubt it. Not
all uses of exec or eval lead to a code injection vulnerability.


> An f-string slips past the sanitizer, but so do other things.

I daresay you are right that a sufficiently clever adversary may have found
an exploit. But there's no sign that anyone actually did find an exploit,
until f-strings made exploiting this trivial.





-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.

More information about the Python-list mailing list