[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Ezio Melotti added the comment: Fixed, thanks for the patch! -- assignee: -> ezio.melotti resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker _

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Roundup Robot added the comment: New changeset 058ff991bdcb by Ezio Melotti in branch '2.7': #13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka. http://hg.python.org/cpython/rev/058ff991bdcb New changeset 2fa338374719 by Ezio Melotti in branch '

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Serhiy Storchaka added the comment: Here is a more simpler patch. Please approve, it's a really trivial patch. -- stage: needs patch -> patch review Added file: http://bugs.python.org/file27832/msgfmt_literal_eval.patch ___ Python tracker

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Serhiy Storchaka added the comment: The patch does not unquote strings ("spam\n" is interpreted as r"spam\n") and allows invalid entry such as "\\" or boo. -- nosy: +serhiy.storchaka stage: patch review -> needs patch versions: +Python 3.4 ___ Python

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Changes by Éric Araujo : -- nosy: +eric.araujo versions: -Python 2.6, Python 3.1, Python 3.4 ___ Python tracker ___ ___ Python-bugs-l

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

David Jean Louis added the comment: Hmm, I missed your previous message, indeed, unescaping is not handled by this patch, sorry about that. Here's how it is handled in polib: https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206 -- ___ Py

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

David Jean Louis added the comment: I'm adding an updated patch that also handles unescaped double quote at the beginning of the string. -- versions: +Python 2.6, Python 3.1, Python 3.4 Added file: http://bugs.python.org/file23567/msgfmt.py.diff.update1.diff __

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Georg Brandl added the comment: This should be fixed; the patch doesn't seem correct though, it doesn't handle escapes like eval() would. -- ___ Python tracker ___

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Changes by Petri Lehtinen : -- nosy: +petri.lehtinen ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mai

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

Changes by Ezio Melotti : -- nosy: +barry, benjamin.peterson, ezio.melotti, georg.brandl stage: -> patch review versions: -Python 2.6, Python 3.1, Python 3.4 ___ Python tracker ___

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

New submission from David Jean Louis : Hi, I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, s