subject:"\[issue41944\] \[security\] Python testsuite calls eval\(\) on content received via HTTP"

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-26 Thread STINNER Victor



STINNER Victor  added the comment:

Thanks for the fix Serhiy and thanks Florian Bruhin for the bug report!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-19 Thread Ned Deily



Change by Ned Deily :


--
keywords: +security_issue
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed
versions: +Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-19 Thread Ned Deily



Ned Deily  added the comment:


New changeset e912e945f2960029d039d3390ea08835ad39374b by Miss Skeleton (bot) 
in branch '3.6':
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec 
tests (GH-22566) (GH-22579)
https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-19 Thread Ned Deily



Ned Deily  added the comment:


New changeset 43e523103886af66d6c27cd72431b5d9d14cd2a9 by Miss Skeleton (bot) 
in branch '3.7':
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec 
tests (GH-22566) (GH-22578)
https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:


New changeset a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 by Florian Bruhin in 
branch 'master':
bpo-41944: No longer call eval() on content received via HTTP in the 
UnicodeNames tests (GH-22575)
https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

Since it's a security vulnerability, I created backports to 3.6 and 3.7 as well.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread miss-islington



Change by miss-islington :


--
pull_requests: +21573
pull_request: https://github.com/python/cpython/pull/22578

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:


New changeset 6c6c256df3636ff6f6136820afaefa5a10a3ac33 by Miss Skeleton (bot) 
in branch '3.8':
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec 
tests (GH-22566) (GH-22577)
https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread miss-islington



Change by miss-islington :


--
pull_requests: +21574
pull_request: https://github.com/python/cpython/pull/22579

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread miss-islington



miss-islington  added the comment:


New changeset b664a1df4ee71d3760ab937653b10997081b1794 by Miss Skeleton (bot) 
in branch '3.9':
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec 
tests (GH-22566)
https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:


New changeset 2ef5caa58febc8968e670e39e3d37cf8eef3cab8 by Serhiy Storchaka in 
branch 'master':
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec 
tests (GH-22566)
https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread miss-islington



Change by miss-islington :


--
pull_requests: +21572
pull_request: https://github.com/python/cpython/pull/22577

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread miss-islington



Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 5.0 -> 6.0
pull_requests: +21571
pull_request: https://github.com/python/cpython/pull/22576

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

I'm now tracking this vulnerability at:
https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

> FWIW I found another place where a similar thing is done, though by chance 
> it's probably not exploitable - see GH-22575.

I agree that test_ucn is not exploitable, but it would be nice to harden it 
anyway.

Extract of the code:

self.assertEqual(unicodedata.lookup(seqname), codepoints)
with self.assertRaises(SyntaxError):
self.checkletter(seqname, None)

test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt 
and calls checkletter() on each line, but first it ensures that 
unicodedata.lookup(seqname) works as expected.

I don't see how it would be possible to inject arbitrary Python code in the 
'seqname' variable without making unicodedata.lookup() to fail.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread Florian Bruhin



Florian Bruhin  added the comment:

Thanks for the clarification - I wasn't aware those tests aren't run by default.

FWIW I found another place where a similar thing is done, though by chance it's 
probably not exploitable - see GH-22575.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread Florian Bruhin



Change by Florian Bruhin :


--
pull_requests: +21570
pull_request: https://github.com/python/cpython/pull/22575

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

I'm not saying that this issue is not a vulnerability, just that the scope is 
limited.

By default, downloaded from the Internet are disabled. You have to opt-in for 
that using -u network (or -u all which enables the network resource) command 
line option of "./python -m test".

Impacted:

* "make testall", "make testuniversal" and "make buildbottest" commands are 
impacted (pass -u all to the test suite).

* Python buildbot workers are impacted: they run the "make buildbottest" 
command.

* Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)".

* Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): 
run "-uall,-cpu".

* Azure Pipelines jobs are impacted: use -uall,-cpu.


> https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168

Fedora packages are not impacted: no -u option is passed to the test suite.


> Anyone building with --enable-optimizations (PGO) will likely do so as well, 
> though I'm not sure if that runs this part of the testsuite.

PGO build is not impacted, it uses "./python -m test --pgo" (download is 
disabled). Moreover, multibyte codec checks are not run by this command (see 
Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run).

--
nosy: +pablogsal, zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread Florian Bruhin



Florian Bruhin  added the comment:

That assumption is false. For starters, distribution packagers do:

https://github.com/archlinux/svntogit-packages/blob/3fc85177e35d1ff9ab000950c5d1af9567730434/trunk/PKGBUILD#L72-L84

https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168

When I build a Python from source (via an Arch User Repository package), I do 
as well, and so does anyone installing those packages by default.

Anyone building with --enable-optimizations (PGO) will likely do so as well, 
though I'm not sure if that runs this part of the testsuite.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

Oops: Only developers of Python itself run the Python test suite.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

2020-10-06 Thread STINNER Victor



STINNER Victor  added the comment:

I don't think that a CVE is justified.

I don't know anyone running the Python test suite on production. Only 
developers of Python itself run Python.

--
title: Python testsuite calls eval() on content received via HTTP -> [security] 
Python testsuite calls eval() on content received via HTTP

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

[issue41944] [security] Python testsuite calls eval() on content received via HTTP

21 matches

Site Navigation

Mail list logo

Footer information