Hi Kenny
Thank you for your meticulously crafted patch, you really have dug deep and gone
where others (myself included) sometimes fear to tread.
As requested, I have committed your patch verbatim:
http://code.google.com/p/asciidoc/source/detail?r=66543730504e5dc07a56fcd89b238ef784cdeac4
I have to admit this is the first time I've looked at Python's AST API -- more
bedtime reading to look forward to :-)
The updated ifeval::[] macro works -- I've subsequently added a test to the unit
tests.
I have taken the liberty of cc'ing this message to the AsciiDoc mailing list.
Thanks again for the patch, this is a real step forward for AsciiDoc security,
and thanks for refactoring the old validate() function.
Cheers, Stuart
On 07/08/11 02:56, Kenny MacDermid wrote:
---------- Forwarded message ----------
From: *Kenny MacDermid* <[email protected]
<mailto:[email protected]>>
Date: Fri, Aug 5, 2011 at 3:14 PM
Subject: AsciiDoc Vulnerabilities
To: [email protected] <mailto:[email protected]>
Hello Stuart,
I was looking at AsciiDoc as it's used in GitHub where I store some code. I've
noticed a number of vulnerabilities in the way eval() is used. This allows
hackers to switch the document to unsafe with, for example:
Using the old table format:
[format="dsv",separator=":\" and
__import__('__builtin__').setattr(__import__('sys').modules[__name__], 'safe',
lambda: False) or \":"]
.---.---
1:2
2:3
4:6
--------
Using the new table format:
[width="15%")
and__import__('__builtin__').setattr(__import__('sys').modules[__name__],
'safe', lambda: False) or {'width': '15%'} #]
|=======
|1 |2 |A
|3 |4 |B
|5 |6 |C
|=======
I have included a patch that I believe closes all these vulnerabilities. If you
could 'hg import' it so I get credit it would be appreciated.
The patch uses literal_eval() if Python 2.6 or greater is installed, and a
back-ported version for 2.4 & 2.5. I also had to change around the parsing code
to make it work.
All 135 unit tests pass. I didn't test the ifeval code, and haven't checked if
that's exercised in the tests, but the rest seems to work well in both python
2.6 and 2.4 that I tested. I notice that the generated code is slightly
different between 2.4 and 2.6, but this occurs without any of my changes (A <
/br> ends up on the next line I think).
I send a different patch for the version GitHub is using to them (for 8.4.4). If
you are interested in this patch I can send it as well.
Kenny
--
You received this message because you are subscribed to the Google Groups
"asciidoc" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/asciidoc?hl=en.
