subject:"\[issue24683\] Type confusion in json encoding"

[issue24683] Type confusion in json encoding

2016-02-05 Thread paul


paul added the comment:

Sorry, I wasn't clear enough. This POC is a proof that the original bug can be 
used for EIP control. I just checked and it works as advertised on 2.7 
revision: https://hg.python.org/cpython/rev/2d39777f3477 - it's a parent of 
https://hg.python.org/cpython/rev/0a1266ef1b5d containing the patch for this 
issue. I added this file, because I submitted a bug on hackerone claiming EIP 
control.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2016-02-05 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

The same result on 2.7 branch:

$ ./python ../cpython/eip.py 
Traceback (most recent call last):
  File "../cpython/eip.py", line 21, in 
e = j.make_encoder(markers, None, enc, 4, "ks", "is", False, True, True)
TypeError: make_encoder() argument 1 must be dict or None, not str

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2016-02-05 Thread paul


paul added the comment:

Can you try on 2.7 branch?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2016-02-05 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

I can't reproduce your example paul.

$ ./python eip.py 
Traceback (most recent call last):
  File "eip.py", line 21, in 
e = j.make_encoder(markers, None, enc, 4, "ks", "is", False, True, True)
TypeError: make_encoder() argument 1 must be dict or None, not array.array

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2016-01-26 Thread paul


paul added the comment:

Proof of EIP control.

--
Added file: http://bugs.python.org/file41719/eip.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2016-01-26 Thread paul


paul added the comment:

GDB dump of running ./python eip.py

___
 eax:37A317DD ebx:B7A54268  ecx:BFFFE22C  edx:11223344 eflags:00010217
 esi:B7A61060 edi:B7AA6714  esp:BFFFE20C  ebp:B7A317DC eip:11223344
 cs:0073  ds:007B  es:007B  fs:  gs:0033  ss:007Bo d I t s z A P C
[007B:BFFFE20C]-[stack]
BFFFE23C : 10 FA A1 B7  60 10 A6 B7 - 68 42 A5 B7  00 60 A2 B7 `...hB...`..
BFFFE22C : 60 17 A6 B7  10 68 2B 08 - 00 60 A2 B7  DC 17 A3 B7 `h+..`..
BFFFE21C : 2C E2 FF BF  DC 17 A3 B7 - 3C E2 FF BF  00 00 00 00 ,...<...
BFFFE20C : AE 07 0D 08  60 10 A6 B7 - 68 42 A5 B7  DD 17 A3 37 `...hB.7
[0073:11223344]-[ code]
=> 0x11223344:  Error while running hook_stop:
Cannot access memory at address 0x11223344
0x11223344 in ?? ()

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-08-16 Thread Arfrever Frehtes Taifersar Arahesis


Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-27 Thread paul


paul added the comment:

resolution: not a bug

^ because of private API?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-26 Thread Roundup Robot


Roundup Robot added the comment:

New changeset b3d0bf112f70 by Serhiy Storchaka in branch '3.4':
Issue #24683: Fixed crashes in _json functions called with arguments of
https://hg.python.org/cpython/rev/b3d0bf112f70

New changeset ef4d09399b99 by Serhiy Storchaka in branch '3.5':
Issue #24683: Fixed crashes in _json functions called with arguments of
https://hg.python.org/cpython/rev/ef4d09399b99

New changeset 7de4abf4eed2 by Serhiy Storchaka in branch 'default':
Issue #24683: Fixed crashes in _json functions called with arguments of
https://hg.python.org/cpython/rev/7de4abf4eed2

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-26 Thread Roundup Robot


Roundup Robot added the comment:

New changeset 0a1266ef1b5d by Serhiy Storchaka in branch '2.7':
Issue #24683: Fixed a crash in _json.make_encoder() called with non-dict 1st 
argument.
https://hg.python.org/cpython/rev/0a1266ef1b5d

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-26 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Thank you for your report paul. Thanks for review Raymond.

--
resolution:  - not a bug
stage: patch review - resolved
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-25 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

There is similar issue with key_separator and item_separator in 3.x. They are 
used with _PyAccu_Accumulate that performs a type check only in assert().

Here is a patch.

--
keywords: +patch
stage: needs patch - patch review
versions: +Python 2.7, Python 3.4, Python 3.6
Added file: http://bugs.python.org/file40025/json_make_encoder_typecheck.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-25 Thread Raymond Hettinger


Raymond Hettinger added the comment:

Patch LGTM.

--
nosy: +rhettinger

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread STINNER Victor


STINNER Victor added the comment:

I don't understand the issue. Can you elaborate?

What is your code? What is the current result? What is the expected result? 
What is your platform? What is your Python version? etc.

--
nosy: +haypo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread paul


paul added the comment:

Sorry, I uploaded a test case.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread paul


New submission from paul:

on-35dm-i386-linux-gnu.so`encoder_listencode_list(s=0xb6f90394, acc=0xbfc42c28, 
seq=0xb6f2361c, indent_level=1) + 655 at _json.c:1800
# frame #2: 0xb6e4366d 
_json.cpython-35dm-i386-linux-gnu.so`encoder_listencode_obj(s=0xb6f90394, 
acc=0xbfc42c28, obj=0xb6f2361c, indent_level=1) + 733 at _json.c:1554
# frame #3: 0xb6e3fc4f 
_json.cpython-35dm-i386-linux-gnu.so`encoder_call(self=0xb6f90394, 
args=0xb7049304, kwds=0x) + 319 at _json.c:1386
# frame #4: 0x080c5758 python`PyObject_Call(func=0xb6f90394, 
arg=0xb7049304, kw=0x) + 264 at abstract.c:2149
# 
# This is a type confusion bug. encoder-markers can be initialized to an
# arbitrary object (string in this POC). PyDict_Contains trusts the caller that
# op is a dictionary without checking. Some callers can't be trusted :)

--
messages: 247093
nosy: pkt
priority: normal
severity: normal
status: open
title: Type confusion in json encoding
type: crash
versions: Python 3.5

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread Serhiy Storchaka


Changes by Serhiy Storchaka storch...@gmail.com:


--
assignee:  - serhiy.storchaka
components: +Extension Modules
nosy: +serhiy.storchaka
stage:  - needs patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread paul


Changes by paul paw...@gmail.com:


Added file: http://bugs.python.org/file39975/json_markers.py

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

2015-07-22 Thread Ronald Oussoren


Ronald Oussoren added the comment:

In encoder_init (the __init__ for _json.Encoder) s-marker is set to an 
argument of __init__, without any kind of type check, it can therefore be an 
arbitrary object.

encoder_listencode_obj (and other functions) then use s-markers with the 
concrete API for dicts (such as PyDict_Contains). 

PyDict_Contains does not perform a type check, but casts its first argument to 
a PyDictObject and access fields. That causes problems when the marker isn't 
actually a dict.

I don't know the module good enough to be 100% sure about a fix, but I think it 
would be best to add a type check to encoder_init. 

BTW. As far as I know _json.make_encoder is a private API and shouldn't be used 
directly, when you use the public API the argument will always be a dict.

--
nosy: +ronaldoussoren

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24683
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

[issue24683] Type confusion in json encoding

19 matches

Site Navigation

Mail list logo

Footer information