It is not safe to use eval function because input data(request body) is not checked
For example, someone can send this data to remove all files in the directory "import('os').system('rm -rf .')" I suggest to use json.loads to parse the request body if the data is json format or disable builtin functions like: eval(req.body, {"__builtins__":None}) Signed-off-by: Takeshi <a86487...@gmail.com> --- ryu/app/ofctl_rest.py | 12 ++++++------ ryu/app/rest_firewall.py | 4 ++-- ryu/app/rest_qos.py | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py index 125554f..94cbeb2 100644 --- a/ryu/app/ofctl_rest.py +++ b/ryu/app/ofctl_rest.py @@ -155,7 +155,7 @@ class StatsController(ControllerBase): flow = {} else: try: - flow = eval(req.body) + flow = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) @@ -326,7 +326,7 @@ class StatsController(ControllerBase): def mod_flow_entry(self, req, cmd, **_kwargs): try: - flow = eval(req.body) + flow = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) @@ -380,7 +380,7 @@ class StatsController(ControllerBase): def mod_meter_entry(self, req, cmd, **_kwargs): try: - flow = eval(req.body) + flow = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) @@ -413,7 +413,7 @@ class StatsController(ControllerBase): def mod_group_entry(self, req, cmd, **_kwargs): try: - group = eval(req.body) + group = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) @@ -448,7 +448,7 @@ class StatsController(ControllerBase): def mod_port_behavior(self, req, cmd, **_kwargs): try: - port_config = eval(req.body) + port_config = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) @@ -493,7 +493,7 @@ class StatsController(ControllerBase): return Response(status=404) try: - exp = eval(req.body) + exp = json.loads(req.body) except SyntaxError: LOG.debug('invalid syntax %s', req.body) return Response(status=400) diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py index 01eb6e2..4e52b1f 100644 --- a/ryu/app/rest_firewall.py +++ b/ryu/app/rest_firewall.py @@ -492,7 +492,7 @@ class FirewallController(ControllerBase): def _set_rule(self, req, switchid, vlan_id=VLANID_NONE): try: - rule = eval(req.body) + rule = json.loads(req.body) except SyntaxError: FirewallController._LOGGER.debug('invalid syntax %s', req.body) return Response(status=400) @@ -516,7 +516,7 @@ class FirewallController(ControllerBase): def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE): try: - ruleid = eval(req.body) + ruleid = json.loads(req.body) except SyntaxError: FirewallController._LOGGER.debug('invalid syntax %s', req.body) return Response(status=400) diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py index 057a3fd..537639f 100644 --- a/ryu/app/rest_qos.py +++ b/ryu/app/rest_qos.py @@ -499,7 +499,7 @@ class QoSController(ControllerBase): def _access_switch(self, req, switchid, vlan_id, func, waiters): try: - rest = eval(req.body) if req.body else {} + rest = json.loads(req.body) if req.body else {} except SyntaxError: QoSController._LOGGER.debug('invalid syntax %s', req.body) return Response(status=400) -- 1.9.1
------------------------------------------------------------------------------
_______________________________________________ Ryu-devel mailing list Ryu-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ryu-devel