Sure, what if the input used a double quote instead of single, cursory glance looks like it might vulnerable.
(Not trying to be argumentative here) On Nov 26, 2016 7:21 PM, "Steve D'Aprano" <steve+pyt...@pearwood.info> wrote: > On Sun, 27 Nov 2016 11:25 am, Chris Angelico wrote: > > > On Sun, Nov 27, 2016 at 11:13 AM, Steve D'Aprano > > <steve+pyt...@pearwood.info> wrote: > >> So-called f-strings haven't even hit the already been implicated in a > >> code-injection vulnerability: > >> > >> http://bugs.python.org/issue28563 > >> > >> I feel kind of vindicated here, because when so-called f-strings were > >> first proposed I asked about the security implication of another way of > >> evaluating arbitrary expressions, and I was told that there were no > >> security implications. Technically that might be true in the sense that > >> f-strings don't do anything that wasn't already possible, but as the > >> above bug shows, they can make exploiting code injection trivially easy > >> in cases where they were previously diabolically hard. > > > > Given that the exploit exists in 2.7, I would say f-strings didn't > > create this, eval did. > > I never said that f-strings caused the vulnerability. I choose my words > carefully. As I said when I mentioned this issue three weeks ago, the > underlying cause of the vulnerability is the use of eval on an untrusted > string. But the existence of a theoretical vulnerability is not the same as > an exploit, let alone an easy exploit. > > > > The problem is that you absolutely CANNOT > > "sanitize" something before giving it to eval. > > Be careful about making absolute claims. I challenge you to break this use > of eval: > > def calculate(phrase): > try: > phrase = sanitize(phrase) > except ValueError: > return > return eval(phrase, {'x': 20}) > > > def sanitize(phrase): > phrase = phrase.replace(' ', '') > if phrase in ('x+1', '2*x'): > return phrase > raise ValueError('unsafe phrase') > > > For a more practical example, namedtuple uses exec to dynamically build the > class. Can you find a code injection attack in namedtuple? I doubt it. Not > all uses of exec or eval lead to a code injection vulnerability. > > > > An f-string slips past the sanitizer, but so do other things. > > I daresay you are right that a sufficiently clever adversary may have found > an exploit. But there's no sign that anyone actually did find an exploit, > until f-strings made exploiting this trivial. > > > > > > -- > Steve > “Cheer up,” they said, “things could be worse.” So I cheered up, and sure > enough, things got worse. > > -- > https://mail.python.org/mailman/listinfo/python-list > -- https://mail.python.org/mailman/listinfo/python-list
