Message280048
| Author |
Carl Ekerot |
| Recipients |
Carl Ekerot, loewis, serhiy.storchaka, xiang.zhang |
| Date |
2016年11月04日.15:05:46 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1478271947.28.0.595157506036.issue28563@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
It doesn't solve the case when an identifier or number is used as a function:
>>> import os
>>> gettext.c2py("n()")(lambda: os.system("sh"))
$
0
>>> gettext.c2py("1()")(0)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <lambda>
TypeError: 'int' object is not callable
This is more of an unintended behavior than a security issue.
Xiang Zhang: I've created a patch based on yours which handles the above case. I've also added a corresponding test case.
Imo it would be even better if we could avoid eval. One possible (and safe) way would be to construct a safe subset of Python using the ast module. This would however still require that the C-style syntax is translated to Python. As you mention, there are issues parsing and translating nested ternary operators, and I doubt it will be possible to cover all cases with the regex replace utilized today. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2016年11月04日 15:05:47 | Carl Ekerot | set | recipients:
+ Carl Ekerot, loewis, serhiy.storchaka, xiang.zhang |
| 2016年11月04日 15:05:47 | Carl Ekerot | set | messageid: <1478271947.28.0.595157506036.issue28563@psf.upfronthosting.co.za> |
| 2016年11月04日 15:05:47 | Carl Ekerot | link | issue28563 messages |
| 2016年11月04日 15:05:46 | Carl Ekerot | create |
|