Message 280119 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	Carl Ekerot
Recipients	Carl Ekerot, christian.heimes, loewis, serhiy.storchaka, xiang.zhang
Date	2016年11月05日.18:00:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1478368831.96.0.692466556365.issue28563@psf.upfronthosting.co.za>

Content
> The gettext module might be vulnerable to f-string attacks It is. See the example in the first comment: gettext.c2py('f"{os.system(\'sh\')}"')(0) This vulnerability seems to be solved in Xiang's patch. The DoS aspect is interesting though, since there's no constraints against malicious use of the power-operator, say "999..9". This too would be solved by implementing a parser with only simple arithmetics.

Content

> The gettext module might be vulnerable to f-string attacks
It is. See the example in the first comment:
 gettext.c2py('f"{os.system(\'sh\')}"')(0)
This vulnerability seems to be solved in Xiang's patch. The DoS aspect is interesting though, since there's no constraints against malicious use of the power-operator, say "9**9**9**..**9". This too would be solved by implementing a parser with only simple arithmetics.

History
Date	User	Action	Args
2016年11月05日 18:00:32	Carl Ekerot	set	recipients: + Carl Ekerot, loewis, christian.heimes, serhiy.storchaka, xiang.zhang
2016年11月05日 18:00:31	Carl Ekerot	set	messageid: <1478368831.96.0.692466556365.issue28563@psf.upfronthosting.co.za>
2016年11月05日 18:00:31	Carl Ekerot	link	issue28563 messages
2016年11月05日 18:00:31	Carl Ekerot	create

homepage