Hi
I'm just trying to make and test the same modification.
Thanks.
I think ofctl_rest.py needs to be compatible with hexadecimal value
or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
in order to keep usability.
But json.loads can not get hexadecimal value or ascii byte array.
I suggest to use another function, e.g. ast.literal_eval() in ofctl_rest.py.
How about this?
I modified your patch.
---------------------------
It is not safe to use eval function because input data(request body) is not
checked
For example, someone can send this data to remove all files in the directory
"import('os').system('rm -rf .')"
I suggest to use json.loads to parse the request body if the data is json format
or disable builtin functions like:
eval(req.body, {"__builtins__":None})
In this patch, ast.literal_eval() is used to evaluate REST body,
because ofctl_rest needs to be compatible with hexadecimal value
or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
in order to keep usability.
Signed-off-by: Takeshi <a86487...@gmail.com>
Signed-off-by: IWASE Yusuke <iwase.yusu...@gmail.com>
---
ryu/app/ofctl_rest.py | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
index 125554f..338d59e 100644
--- a/ryu/app/ofctl_rest.py
+++ b/ryu/app/ofctl_rest.py
@@ -16,6 +16,7 @@
import logging
import json
+import ast
from webob import Response
from ryu.base import app_manager
@@ -155,7 +156,7 @@ class StatsController(ControllerBase):
flow = {}
else:
try:
- flow = eval(req.body)
+ flow = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -326,7 +327,7 @@ class StatsController(ControllerBase):
def mod_flow_entry(self, req, cmd, **_kwargs):
try:
- flow = eval(req.body)
+ flow = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -380,7 +381,7 @@ class StatsController(ControllerBase):
def mod_meter_entry(self, req, cmd, **_kwargs):
try:
- flow = eval(req.body)
+ flow = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -413,7 +414,7 @@ class StatsController(ControllerBase):
def mod_group_entry(self, req, cmd, **_kwargs):
try:
- group = eval(req.body)
+ group = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -448,7 +449,7 @@ class StatsController(ControllerBase):
def mod_port_behavior(self, req, cmd, **_kwargs):
try:
- port_config = eval(req.body)
+ port_config = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
@@ -493,7 +494,7 @@ class StatsController(ControllerBase):
return Response(status=404)
try:
- exp = eval(req.body)
+ exp = ast.literal_eval(req.body)
except SyntaxError:
LOG.debug('invalid syntax %s', req.body)
return Response(status=400)
--
1.9.1
The patches for rest_firewall.py and rest_qos.py looks good to me.
Thanks.
On 2014年11月09日 20:41, Yi Tseng wrote:
> It is not safe to use eval function because input data(request body) is not
> checked
>
> For example, someone can send this data to remove all files in the directory
>
> "import('os').system('rm -rf .')"
>
> I suggest to use json.loads to parse the request body if the data is json
> format
>
> or disable builtin functions like:
>
> eval(req.body, {"__builtins__":None})
>
> Signed-off-by: Takeshi <a86487...@gmail.com <mailto:a86487...@gmail.com>>
> ---
> ryu/app/ofctl_rest.py | 12 ++++++------
> ryu/app/rest_firewall.py | 4 ++--
> ryu/app/rest_qos.py | 2 +-
> 3 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
> index 125554f..94cbeb2 100644
> --- a/ryu/app/ofctl_rest.py
> +++ b/ryu/app/ofctl_rest.py
> @@ -155,7 +155,7 @@ class StatsController(ControllerBase):
> flow = {}
> else:
> try:
> - flow = eval(req.body)
> + flow = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -326,7 +326,7 @@ class StatsController(ControllerBase):
>
> def mod_flow_entry(self, req, cmd, **_kwargs):
> try:
> - flow = eval(req.body)
> + flow = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -380,7 +380,7 @@ class StatsController(ControllerBase):
>
> def mod_meter_entry(self, req, cmd, **_kwargs):
> try:
> - flow = eval(req.body)
> + flow = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -413,7 +413,7 @@ class StatsController(ControllerBase):
>
> def mod_group_entry(self, req, cmd, **_kwargs):
> try:
> - group = eval(req.body)
> + group = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -448,7 +448,7 @@ class StatsController(ControllerBase):
>
> def mod_port_behavior(self, req, cmd, **_kwargs):
> try:
> - port_config = eval(req.body)
> + port_config = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -493,7 +493,7 @@ class StatsController(ControllerBase):
> return Response(status=404)
>
> try:
> - exp = eval(req.body)
> + exp = json.loads(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
> index 01eb6e2..4e52b1f 100644
> --- a/ryu/app/rest_firewall.py
> +++ b/ryu/app/rest_firewall.py
> @@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
>
> def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
> try:
> - rule = eval(req.body)
> + rule = json.loads(req.body)
> except SyntaxError:
> FirewallController._LOGGER.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
>
> def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
> try:
> - ruleid = eval(req.body)
> + ruleid = json.loads(req.body)
> except SyntaxError:
> FirewallController._LOGGER.debug('invalid syntax %s', req.body)
> return Response(status=400)
> diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
> index 057a3fd..537639f 100644
> --- a/ryu/app/rest_qos.py
> +++ b/ryu/app/rest_qos.py
> @@ -499,7 +499,7 @@ class QoSController(ControllerBase):
>
> def _access_switch(self, req, switchid, vlan_id, func, waiters):
> try:
> - rest = eval(req.body) if req.body else {}
> + rest = json.loads(req.body) if req.body else {}
> except SyntaxError:
> QoSController._LOGGER.debug('invalid syntax %s', req.body)
> return Response(status=400)
> --
> 1.9.1
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Ryu-devel mailing list
> Ryu-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
