It is not safe to use eval function because input data(request body) is not
checked
For example, someone can send this data to remove all files in the directory
"import('os').system('rm -rf .')"
I suggest to use json.loads to parse the request body if the data is json
format
or disable builtin functions like:
eval(req.body, {"__builtins__":None})
Signed-off-by: Takeshi <[email protected]>
---
ryu/app/ofctl_rest.py | 12 ++++++------
ryu/app/rest_firewall.py | 4 ++--
ryu/app/rest_qos.py | 2 +-
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
index 125554f..94cbeb2 100644
--- a/ryu/app/ofctl_rest.py
+++ b/ryu/app/ofctl_rest.py
@@ -155,7 +155,7 @@ class StatsController(ControllerBase):
flow = {}
else:
try:
- flow = eval(req.body)
+ flow = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -326,7 +326,7 @@ class StatsController(ControllerBase):
def mod_flow_entry(self, req, cmd, **_kwargs):
try:
- flow = eval(req.body)
+ flow = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -380,7 +380,7 @@ class StatsController(ControllerBase):
def mod_meter_entry(self, req, cmd, **_kwargs):
try:
- flow = eval(req.body)
+ flow = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -413,7 +413,7 @@ class StatsController(ControllerBase):
def mod_group_entry(self, req, cmd, **_kwargs):
try:
- group = eval(req.body)
+ group = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -448,7 +448,7 @@ class StatsController(ControllerBase):
def mod_port_behavior(self, req, cmd, **_kwargs):
try:
- port_config = eval(req.body)
+ port_config = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -493,7 +493,7 @@ class StatsController(ControllerBase):
return Response(status=404)
try:
- exp = eval(req.body)
+ exp = json.loads(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
index 01eb6e2..4e52b1f 100644
--- a/ryu/app/rest_firewall.py
+++ b/ryu/app/rest_firewall.py
@@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
try:
- rule = eval(req.body)
+ rule = json.loads(req.body)
except SyntaxError:
FirewallController._LOGGER.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
try:
- ruleid = eval(req.body)
+ ruleid = json.loads(req.body)
except SyntaxError:
FirewallController._LOGGER.debug('invalid syntax %s', req.body)
return Response(status=400)
diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
index 057a3fd..537639f 100644
--- a/ryu/app/rest_qos.py
+++ b/ryu/app/rest_qos.py
@@ -499,7 +499,7 @@ class QoSController(ControllerBase):
def _access_switch(self, req, switchid, vlan_id, func, waiters):
try:
- rest = eval(req.body) if req.body else {}
+ rest = json.loads(req.body) if req.body else {}
except SyntaxError:
QoSController._LOGGER.debug('invalid syntax %s', req.body)
return Response(status=400)
--
1.9.1
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
