[issue22885] Arbitrary code execution vulnerability due to unchecked eval() call in dumbdbm module
Serhiy Storchaka
report at bugs.python.org
Sat Jan 24 10:15:16 CET 2015
Serhiy Storchaka added the comment:
Raising dbm.dumb.error is behavior change. It would be safer not apply this part in maintained releases.
If add sanity checks in 3.5, note that following line "key = key.encode('Latin-1')" can raise an exception too (AttributeError or UnicodeEncodeError). And incorrect data can cause an error later in __getitem__ if pos_and_siz_pair is not a pair of two integers.
I think it is worth to split this issue on two issues and fix only security issue here.
----------
nosy: +serhiy.storchaka
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22885>
_______________________________________
More information about the Python-bugs-list
mailing list