You're welcome. Glad to help. If you know any other companies hosting this version I'm sure they'd appreciate a heads up. Especially when the new version is available.
Kenny On Aug 9, 6:43 pm, Stuart Rackham <[email protected]> wrote: > Hi Kenny > > Thank you for your meticulously crafted patch, you really have dug deep and > gone > where others (myself included) sometimes fear to tread. > > As requested, I have committed your patch verbatim: > > http://code.google.com/p/asciidoc/source/detail?r=66543730504e5dc07a5... > > I have to admit this is the first time I've looked at Python's AST API -- more > bedtime reading to look forward to :-) > > The updated ifeval::[] macro works -- I've subsequently added a test to the > unit > tests. > > I have taken the liberty of cc'ing this message to the AsciiDoc mailing list. > > Thanks again for the patch, this is a real step forward for AsciiDoc security, > and thanks for refactoring the old validate() function. > > Cheers, Stuart > > On 07/08/11 02:56, Kenny MacDermid wrote: > > > > > > > > > ---------- Forwarded message ---------- > > From: *Kenny MacDermid* <[email protected] > > <mailto:[email protected]>> > > Date: Fri, Aug 5, 2011 at 3:14 PM > > Subject: AsciiDoc Vulnerabilities > > To: [email protected] <mailto:[email protected]> > > > Hello Stuart, > > > I was looking at AsciiDoc as it's used in GitHub where I store some code. > > I've > > noticed a number of vulnerabilities in the way eval() is used. This allows > > hackers to switch the document to unsafe with, for example: > > > Using the old table format: > > > [format="dsv",separator=":\" and > > __import__('__builtin__').setattr(__import__('sys').modules[__name__], > > 'safe', > > lambda: False) or \":"] > > .---.--- > > 1:2 > > 2:3 > > 4:6 > > -------- > > > Using the new table format: > > > [width="15%") > > and__import__('__builtin__').setattr(__import__('sys').modules[__name__], > > 'safe', lambda: False) or {'width': '15%'} #] > > |======= > > |1 |2 |A > > |3 |4 |B > > |5 |6 |C > > |======= > > > I have included a patch that I believe closes all these vulnerabilities. If > > you > > could 'hg import' it so I get credit it would be appreciated. > > > The patch uses literal_eval() if Python 2.6 or greater is installed, and a > > back-ported version for 2.4 & 2.5. I also had to change around the parsing > > code > > to make it work. > > > All 135 unit tests pass. I didn't test the ifeval code, and haven't checked > > if > > that's exercised in the tests, but the rest seems to work well in both > > python > > 2.6 and 2.4 that I tested. I notice that the generated code is slightly > > different between 2.4 and 2.6, but this occurs without any of my changes (A > > < > > /br> ends up on the next line I think). > > > I send a different patch for the version GitHub is using to them (for > > 8.4.4). If > > you are interested in this patch I can send it as well. > > > Kenny -- You received this message because you are subscribed to the Google Groups "asciidoc" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/asciidoc?hl=en.
