Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22885
___
Roundup Robot added the comment:
New changeset 02865d22a98d by Serhiy Storchaka in branch '2.7':
Issue #22885: Fixed arbitrary code execution vulnerability in the dumbdbm
https://hg.python.org/cpython/rev/02865d22a98d
New changeset 693bf15b4314 by Serhiy Storchaka in branch '3.4':
Issue #22885:
Serhiy Storchaka added the comment:
Committed issue22885.patch with modified test which demonstrates vulnerability
of unpatched dbm.dumb. If you want to change exception type raised by dbm.dumb,
you can open new issue.
--
assignee: - serhiy.storchaka
resolution: - fixed
stage: patch
Serhiy Storchaka added the comment:
Raising dbm.dumb.error is behavior change. It would be safer not apply this
part in maintained releases.
If add sanity checks in 3.5, note that following line key =
key.encode('Latin-1') can raise an exception too (AttributeError or
UnicodeEncodeError).
Claudiu Popa added the comment:
Thanks, Serhiy. Only the security issue is fixed in this patch, since eval is
replaced by ast.literal_eval and nothing else. Indeed, if the data is something
else than what dbm expects after ast.literal_eval, then it would fail, but it
would have failed
Serhiy Storchaka added the comment:
I mean that raising dbm.dumb.error is different issue unrelated to changing
eval to ast.literal_eval. See also Raymond's objections in issue21708.
issue22885.patch LGTM.
--
nosy: +rhettinger
___
Python tracker
Claudiu Popa added the comment:
Thanks, Victor. I thought the same thing, but the file is deleted here already,
here:
https://hg.python.org/cpython/file/981ba93bcbde/Lib/test/test_dbm_dumb.py#l228
--
___
Python tracker rep...@bugs.python.org
STINNER Victor added the comment:
+with open(_fname + .dir, 'w') as stream:
+stream.write(content)
I don't see where the created file is deleted. Add something like:
self.addCleanup(support.unlink, _fname + .dir)
--
nosy: +haypo
Changes by Claudiu Popa pcmantic...@gmail.com:
--
priority: normal - high
stage: - patch review
versions: +Python 3.5
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22885
___
Guido van Rossum added the comment:
Python 3's exception chaining allows us to do the second (easier to catch
without resorting to except Exception: or even except:) while still showing
the original exception in the traceback.
--
nosy: +gvanrossum
Claudiu Popa added the comment:
Here's a patch which uses ast.literal_eval instead. This doesn't get code
executed, since literal_eval will fail loudly for anything other than a
literal. There are some issues to consider:
- let the current ast.literal_eval call bubble out with a lot of
Claudiu Popa added the comment:
Thanks for the tip, Guido. The new patch uses exception chaining. If this needs
backporting, most probably the first patch can be used.
--
Added file: http://bugs.python.org/file37813/issue22885_1.patch
___
Python
New submission from Stephen Farris:
The dumbdbm module uses an unchecked call to eval() in the _update method,
which is called in response to a call to dumbdbm.open(), and is used to load
the index from the directory file. This poses a security vulnerability because
it allows an attacker to
Changes by R. David Murray rdmur...@bitdance.com:
--
nosy: +r.david.murray
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22885
___
___
14 matches
Mail list logo
