Hi Yusuke
I think ast.literal_eval is better than json.load.
Thanks a lot!
Takeshi
2014-11-10 8:04 GMT+08:00 Yusuke Iwase <iwase.yusu...@gmail.com>:
> Hi
>
> I'm just trying to make and test the same modification.
> Thanks.
>
> I think ofctl_rest.py needs to be compatible with hexadecimal value
> or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
> in order to keep usability.
> But json.loads can not get hexadecimal value or ascii byte array.
>
> I suggest to use another function, e.g. ast.literal_eval() in
> ofctl_rest.py.
>
>
> How about this?
> I modified your patch.
>
> ---------------------------
>
> It is not safe to use eval function because input data(request body) is
> not checked
> For example, someone can send this data to remove all files in the
> directory
> "import('os').system('rm -rf .')"
>
> I suggest to use json.loads to parse the request body if the data is json
> format
> or disable builtin functions like:
> eval(req.body, {"__builtins__":None})
>
> In this patch, ast.literal_eval() is used to evaluate REST body,
> because ofctl_rest needs to be compatible with hexadecimal value
> or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
> in order to keep usability.
>
> Signed-off-by: Takeshi <a86487...@gmail.com>
> Signed-off-by: IWASE Yusuke <iwase.yusu...@gmail.com>
> ---
> ryu/app/ofctl_rest.py | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
> index 125554f..338d59e 100644
> --- a/ryu/app/ofctl_rest.py
> +++ b/ryu/app/ofctl_rest.py
> @@ -16,6 +16,7 @@
> import logging
>
> import json
> +import ast
> from webob import Response
>
> from ryu.base import app_manager
> @@ -155,7 +156,7 @@ class StatsController(ControllerBase):
> flow = {}
> else:
> try:
> - flow = eval(req.body)
> + flow = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -326,7 +327,7 @@ class StatsController(ControllerBase):
>
> def mod_flow_entry(self, req, cmd, **_kwargs):
> try:
> - flow = eval(req.body)
> + flow = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -380,7 +381,7 @@ class StatsController(ControllerBase):
>
> def mod_meter_entry(self, req, cmd, **_kwargs):
> try:
> - flow = eval(req.body)
> + flow = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -413,7 +414,7 @@ class StatsController(ControllerBase):
>
> def mod_group_entry(self, req, cmd, **_kwargs):
> try:
> - group = eval(req.body)
> + group = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -448,7 +449,7 @@ class StatsController(ControllerBase):
>
> def mod_port_behavior(self, req, cmd, **_kwargs):
> try:
> - port_config = eval(req.body)
> + port_config = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> @@ -493,7 +494,7 @@ class StatsController(ControllerBase):
> return Response(status=404)
>
> try:
> - exp = eval(req.body)
> + exp = ast.literal_eval(req.body)
> except SyntaxError:
> LOG.debug('invalid syntax %s', req.body)
> return Response(status=400)
> --
> 1.9.1
>
>
>
> The patches for rest_firewall.py and rest_qos.py looks good to me.
>
> Thanks.
>
> On 2014年11月09日 20:41, Yi Tseng wrote:
> > It is not safe to use eval function because input data(request body) is
> not checked
> >
> > For example, someone can send this data to remove all files in the
> directory
> >
> > "import('os').system('rm -rf .')"
> >
> > I suggest to use json.loads to parse the request body if the data is
> json format
> >
> > or disable builtin functions like:
> >
> > eval(req.body, {"__builtins__":None})
> >
> > Signed-off-by: Takeshi <a86487...@gmail.com <mailto:a86487...@gmail.com
> >>
> > ---
> > ryu/app/ofctl_rest.py | 12 ++++++------
> > ryu/app/rest_firewall.py | 4 ++--
> > ryu/app/rest_qos.py | 2 +-
> > 3 files changed, 9 insertions(+), 9 deletions(-)
> >
> > diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
> > index 125554f..94cbeb2 100644
> > --- a/ryu/app/ofctl_rest.py
> > +++ b/ryu/app/ofctl_rest.py
> > @@ -155,7 +155,7 @@ class StatsController(ControllerBase):
> > flow = {}
> > else:
> > try:
> > - flow = eval(req.body)
> > + flow = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > @@ -326,7 +326,7 @@ class StatsController(ControllerBase):
> >
> > def mod_flow_entry(self, req, cmd, **_kwargs):
> > try:
> > - flow = eval(req.body)
> > + flow = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > @@ -380,7 +380,7 @@ class StatsController(ControllerBase):
> >
> > def mod_meter_entry(self, req, cmd, **_kwargs):
> > try:
> > - flow = eval(req.body)
> > + flow = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > @@ -413,7 +413,7 @@ class StatsController(ControllerBase):
> >
> > def mod_group_entry(self, req, cmd, **_kwargs):
> > try:
> > - group = eval(req.body)
> > + group = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > @@ -448,7 +448,7 @@ class StatsController(ControllerBase):
> >
> > def mod_port_behavior(self, req, cmd, **_kwargs):
> > try:
> > - port_config = eval(req.body)
> > + port_config = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > @@ -493,7 +493,7 @@ class StatsController(ControllerBase):
> > return Response(status=404)
> >
> > try:
> > - exp = eval(req.body)
> > + exp = json.loads(req.body)
> > except SyntaxError:
> > LOG.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
> > index 01eb6e2..4e52b1f 100644
> > --- a/ryu/app/rest_firewall.py
> > +++ b/ryu/app/rest_firewall.py
> > @@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
> >
> > def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
> > try:
> > - rule = eval(req.body)
> > + rule = json.loads(req.body)
> > except SyntaxError:
> > FirewallController._LOGGER.debug('invalid syntax %s',
> req.body)
> > return Response(status=400)
> > @@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
> >
> > def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
> > try:
> > - ruleid = eval(req.body)
> > + ruleid = json.loads(req.body)
> > except SyntaxError:
> > FirewallController._LOGGER.debug('invalid syntax %s',
> req.body)
> > return Response(status=400)
> > diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
> > index 057a3fd..537639f 100644
> > --- a/ryu/app/rest_qos.py
> > +++ b/ryu/app/rest_qos.py
> > @@ -499,7 +499,7 @@ class QoSController(ControllerBase):
> >
> > def _access_switch(self, req, switchid, vlan_id, func, waiters):
> > try:
> > - rest = eval(req.body) if req.body else {}
> > + rest = json.loads(req.body) if req.body else {}
> > except SyntaxError:
> > QoSController._LOGGER.debug('invalid syntax %s', req.body)
> > return Response(status=400)
> > --
> > 1.9.1
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Ryu-devel mailing list
> > Ryu-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> >
>
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
