Re: First security bug related to f-strings
On Sat, Nov 5, 2016 at 6:50 PM, Irmen de Jongwrote: > Perhaps. But in those cases you could just leave things on the default. > If you choose to run the interpreter with eval (and exec) disabled, you > should be aware > that you'll break tools like that. But for other situations (web server etc) > it could > still be useful? I do agree that not being able to use namedtuple (and > perhaps other > things from the stdlib) is a problem then. Breaking importlib at startup is not an option. An application would need to import everything before disabling exec. -- https://mail.python.org/mailman/listinfo/python-list
Re: First security bug related to f-strings
On 5-11-2016 19:08, eryk sun wrote: > On Sat, Nov 5, 2016 at 5:33 PM, Irmen de Jongwrote: >> I think perhaps we should have a command line option / environment variable >> to be able >> to disable 'eval' altogether > > I don't think that's practical. exec and eval are commonly used by > shells and IDEs such as IDLE and IPython. In the standard library, > importlib and namedtuple are two important users of exec. Just try > `import builtins; del builtins.exec, builtins.eval`. > Perhaps. But in those cases you could just leave things on the default. If you choose to run the interpreter with eval (and exec) disabled, you should be aware that you'll break tools like that. But for other situations (web server etc) it could still be useful? I do agree that not being able to use namedtuple (and perhaps other things from the stdlib) is a problem then. It was just a thought Irmen -- https://mail.python.org/mailman/listinfo/python-list
Re: First security bug related to f-strings
On Sat, Nov 5, 2016 at 5:33 PM, Irmen de Jongwrote: > I think perhaps we should have a command line option / environment variable > to be able > to disable 'eval' altogether I don't think that's practical. exec and eval are commonly used by shells and IDEs such as IDLE and IPython. In the standard library, importlib and namedtuple are two important users of exec. Just try `import builtins; del builtins.exec, builtins.eval`. -- https://mail.python.org/mailman/listinfo/python-list
Re: First security bug related to f-strings
On 5-11-2016 18:12, Steve D'Aprano wrote: > Well, that didn't take very long at all. > > Here's the first security bug which is related to the new (and badly > misnamed) f-string feature: > > http://bugs.python.org/issue28563 I think perhaps we should have a command line option / environment variable to be able to disable 'eval' altogether Irmen -- https://mail.python.org/mailman/listinfo/python-list
First security bug related to f-strings
Well, that didn't take very long at all. Here's the first security bug which is related to the new (and badly misnamed) f-string feature: http://bugs.python.org/issue28563 Note what I'm not saying: I'm not saying that the bug is *caused* by f-strings. It is not. The bug is actually caused by the inappropriate use of eval. But the worrying thing here is: Bonus: With the new string interpolation in Python 3.7, exploiting gettext.c2py becomes trivial: gettext.c2py('f"{os.system(\'sh\')}"')(0) The tokenizer will recognize the entire format-string as just a string, thus bypassing the security checks. Yay for hiding arbitrary code evaluation inside something that pretends to be a string! My guess is that there is probably more code out there in the wild which is vulnerable to code injection attacks thanks to the use of eval or exec, but its been too hard to exploit up until now. But with f-strings, chances are that they too will be trivially exploitable. -- Steve “Cheer up,” they said, “things could be worse.” So I cheered up, and sure enough, things got worse. -- https://mail.python.org/mailman/listinfo/python-list