[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: Thanks for the fix Serhiy and thanks Florian Bruhin for the bug report! -- ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by Ned Deily : -- keywords: +security_issue resolution: -> fixed stage: patch review -> resolved status: open -> closed versions: +Python 3.6, Python 3.7 ___ Python tracker

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Ned Deily added the comment: New changeset e912e945f2960029d039d3390ea08835ad39374b by Miss Skeleton (bot) in branch '3.6': bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22579)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Ned Deily added the comment: New changeset 43e523103886af66d6c27cd72431b5d9d14cd2a9 by Miss Skeleton (bot) in branch '3.7': bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22578)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: New changeset a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 by Florian Bruhin in branch 'master': bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: Since it's a security vulnerability, I created backports to 3.6 and 3.7 as well. -- ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by miss-islington : -- pull_requests: +21573 pull_request: https://github.com/python/cpython/pull/22578 ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: New changeset 6c6c256df3636ff6f6136820afaefa5a10a3ac33 by Miss Skeleton (bot) in branch '3.8': bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22577)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by miss-islington : -- pull_requests: +21574 pull_request: https://github.com/python/cpython/pull/22579 ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

miss-islington added the comment: New changeset b664a1df4ee71d3760ab937653b10997081b1794 by Miss Skeleton (bot) in branch '3.9': bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Serhiy Storchaka added the comment: New changeset 2ef5caa58febc8968e670e39e3d37cf8eef3cab8 by Serhiy Storchaka in branch 'master': bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566)

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by miss-islington : -- pull_requests: +21572 pull_request: https://github.com/python/cpython/pull/22577 ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by miss-islington : -- nosy: +miss-islington nosy_count: 5.0 -> 6.0 pull_requests: +21571 pull_request: https://github.com/python/cpython/pull/22576 ___ Python tracker

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: I'm now tracking this vulnerability at: https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html -- ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: > FWIW I found another place where a similar thing is done, though by chance > it's probably not exploitable - see GH-22575. I agree that test_ucn is not exploitable, but it would be nice to harden it anyway. Extract of the code:

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Florian Bruhin added the comment: Thanks for the clarification - I wasn't aware those tests aren't run by default. FWIW I found another place where a similar thing is done, though by chance it's probably not exploitable - see GH-22575. -- ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Change by Florian Bruhin : -- pull_requests: +21570 pull_request: https://github.com/python/cpython/pull/22575 ___ Python tracker ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: I'm not saying that this issue is not a vulnerability, just that the scope is limited. By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

Florian Bruhin added the comment: That assumption is false. For starters, distribution packagers do: https://github.com/archlinux/svntogit-packages/blob/3fc85177e35d1ff9ab000950c5d1af9567730434/trunk/PKGBUILD#L72-L84

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: Oops: Only developers of Python itself run the Python test suite. -- ___ Python tracker ___ ___

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

STINNER Victor added the comment: I don't think that a CVE is justified. I don't know anyone running the Python test suite on production. Only developers of Python itself run Python. -- title: Python testsuite calls eval() on content received via HTTP -> [security] Python testsuite