[Python-checkins] cpython (merge 3.4 -> default): Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb

Sun Feb 15 23:33:28 CET 2015

https://hg.python.org/cpython/rev/cf6a62b0ef3b
changeset: 94640:cf6a62b0ef3b
parent: 94637:b15a5f239e8a
parent: 94639:693bf15b4314
user: Serhiy Storchaka <storchaka at gmail.com>
date: Mon Feb 16 00:32:41 2015 +0200
summary:
 Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb
module. Original patch by Claudiu Popa.
files:
 Lib/dbm/dumb.py | 3 ++-
 Lib/test/test_dbm_dumb.py | 9 +++++++++
 Misc/NEWS | 3 +++
 3 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/Lib/dbm/dumb.py b/Lib/dbm/dumb.py
--- a/Lib/dbm/dumb.py
+++ b/Lib/dbm/dumb.py
@@ -21,6 +21,7 @@
 
 """
 
+import ast as _ast
 import io as _io
 import os as _os
 import collections
@@ -95,7 +96,7 @@
 with f:
 for line in f:
 line = line.rstrip()
- key, pos_and_siz_pair = eval(line)
+ key, pos_and_siz_pair = _ast.literal_eval(line)
 key = key.encode('Latin-1')
 self._index[key] = pos_and_siz_pair
 
diff --git a/Lib/test/test_dbm_dumb.py b/Lib/test/test_dbm_dumb.py
--- a/Lib/test/test_dbm_dumb.py
+++ b/Lib/test/test_dbm_dumb.py
@@ -225,6 +225,15 @@
 with dumbdbm.open(_fname, 'n') as f:
 self.assertEqual(f.keys(), [])
 
+ def test_eval(self):
+ with open(_fname + '.dir', 'w') as stream:
+ stream.write("str(print('Hacked!')), 0\n")
+ with support.captured_stdout() as stdout:
+ with self.assertRaises(ValueError):
+ with dumbdbm.open(_fname) as f:
+ pass
+ self.assertEqual(stdout.getvalue(), '')
+
 def tearDown(self):
 _delete_files()
 
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@
 Library
 -------
 
+- Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb
+ module. Original patch by Claudiu Popa.
+
 - Issue #23239: ssl.match_hostname() now supports matching of IP addresses.
 
 - Issue #23146: Fix mishandling of absolute Windows paths with forward
-- 
Repository URL: https://hg.python.org/cpython
