On Mon, 10 Nov 2014 09:04:36 +0900
Yusuke Iwase <[email protected]> wrote:
> Hi
>
> I'm just trying to make and test the same modification.
> Thanks.
>
> I think ofctl_rest.py needs to be compatible with hexadecimal value
> or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
> in order to keep usability.
> But json.loads can not get hexadecimal value or ascii byte array.
>
> I suggest to use another function, e.g. ast.literal_eval() in ofctl_rest.py.
>
>
> How about this?
> I modified your patch.
>
> ---------------------------
>
> It is not safe to use eval function because input data(request body) is not
> checked
> For example, someone can send this data to remove all files in the directory
> "import('os').system('rm -rf .')"
>
> I suggest to use json.loads to parse the request body if the data is json
> format
> or disable builtin functions like:
> eval(req.body, {"__builtins__":None})
>
> In this patch, ast.literal_eval() is used to evaluate REST body,
> because ofctl_rest needs to be compatible with hexadecimal value
> or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
> in order to keep usability.
>
> Signed-off-by: Takeshi <[email protected]>
> Signed-off-by: IWASE Yusuke <[email protected]>
> ---
> ryu/app/ofctl_rest.py | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
Applied, thanks a lot!
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
