[issue28563] Arbitrary code execution in gettext.c2py
Xiang Zhang
report at bugs.python.org
Sat Nov 5 03:37:11 EDT 2016
Xiang Zhang added the comment:
> gettext.c2py("n()")(lambda: os.system("sh"))
> gettext.c2py("1()")(0)
Empty parentheses should be disallowed. Function calls are not allowed in plural expression. And non-integer argument should be disallowed either, just as Serhiy's example shows.
> What if make repeated replacements with regular expression r'([^?:]*?)\?([^?:]*?):([^?:]*)'?
How does it work for '1?2:3?4:5'? :-( I am considering a parser.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28563>
_______________________________________
More information about the Python-bugs-list
mailing list