]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 57fffd6)
Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb
authorSerhiy Storchaka <storchaka@gmail.com>
Sun, 15 Feb 2015 22:30:43 +0000 (00:30 +0200)
committerSerhiy Storchaka <storchaka@gmail.com>
Sun, 15 Feb 2015 22:30:43 +0000 (00:30 +0200)
module.  Original patch by Claudiu Popa.

Lib/dbm/dumb.py patch | blob | history
Lib/test/test_dbm_dumb.py patch | blob | history
Misc/NEWS patch | blob | history

diff --git a/Lib/dbm/dumb.py b/Lib/dbm/dumb.py
index 8f48aadade83ba0ceebdd3574e924e4fe213d010..a9ead68ce45fb4498e2f7ff0dc23690359f5e3ce 100644 (file)
--- a/Lib/dbm/dumb.py
+++ b/Lib/dbm/dumb.py
@@ -21,6 +21,7 @@ is read when the database is opened, and some updates rewrite the whole index)
 
 """
 
+import ast as _ast
 import io as _io
 import os as _os
 import collections
@@ -85,7 +86,7 @@ class _Database(collections.MutableMapping):
             with f:
                 for line in f:
                     line = line.rstrip()
-                    key, pos_and_siz_pair = eval(line)
+                    key, pos_and_siz_pair = _ast.literal_eval(line)
                     key = key.encode('Latin-1')
                     self._index[key] = pos_and_siz_pair
 
diff --git a/Lib/test/test_dbm_dumb.py b/Lib/test/test_dbm_dumb.py
index 29f48a35616d4a1cd09b068454d5a0197689ba5b..dc88ca64dcfdfd85f78dc1db292f0e90c3839a70 100644 (file)
--- a/Lib/test/test_dbm_dumb.py
+++ b/Lib/test/test_dbm_dumb.py
@@ -217,6 +217,15 @@ class DumbDBMTestCase(unittest.TestCase):
             self.assertEqual(str(cm.exception),
                              "DBM object has already been closed")
 
+    def test_eval(self):
+        with open(_fname + '.dir', 'w') as stream:
+            stream.write("str(print('Hacked!')), 0\n")
+        with support.captured_stdout() as stdout:
+            with self.assertRaises(ValueError):
+                with dumbdbm.open(_fname) as f:
+                    pass
+            self.assertEqual(stdout.getvalue(), '')
+
     def tearDown(self):
         _delete_files()
 
diff --git a/Misc/NEWS b/Misc/NEWS
index ca4685c9f6a4f539d5b90393083bf1ec3da21f8e..b453fe458d2f8af96d4761628f9224e2f4f3d1f6 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb
+  module.  Original patch by Claudiu Popa.
+
 - Issue #23146: Fix mishandling of absolute Windows paths with forward
   slashes in pathlib.
 
Unnamed repository; edit this file 'description' to name the repository.