From: Serhiy Storchaka Date: Sun, 15 Feb 2015 22:30:43 +0000 (+0200) Subject: Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb X-Git-Tag: v3.5.0a2~140^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=74eb8b2d1a1db905cffc4efcd1cefaf1f725cd81;p=python Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb module. Original patch by Claudiu Popa. --- diff --git a/Lib/dbm/dumb.py b/Lib/dbm/dumb.py index 8f48aadade..a9ead68ce4 100644 --- a/Lib/dbm/dumb.py +++ b/Lib/dbm/dumb.py @@ -21,6 +21,7 @@ is read when the database is opened, and some updates rewrite the whole index) """ +import ast as _ast import io as _io import os as _os import collections @@ -85,7 +86,7 @@ class _Database(collections.MutableMapping): with f: for line in f: line = line.rstrip() - key, pos_and_siz_pair = eval(line) + key, pos_and_siz_pair = _ast.literal_eval(line) key = key.encode('Latin-1') self._index[key] = pos_and_siz_pair diff --git a/Lib/test/test_dbm_dumb.py b/Lib/test/test_dbm_dumb.py index 29f48a3561..dc88ca64dc 100644 --- a/Lib/test/test_dbm_dumb.py +++ b/Lib/test/test_dbm_dumb.py @@ -217,6 +217,15 @@ class DumbDBMTestCase(unittest.TestCase): self.assertEqual(str(cm.exception), "DBM object has already been closed") + def test_eval(self): + with open(_fname + '.dir', 'w') as stream: + stream.write("str(print('Hacked!')), 0\n") + with support.captured_stdout() as stdout: + with self.assertRaises(ValueError): + with dumbdbm.open(_fname) as f: + pass + self.assertEqual(stdout.getvalue(), '') + def tearDown(self): _delete_files() diff --git a/Misc/NEWS b/Misc/NEWS index ca4685c9f6..b453fe458d 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb + module. Original patch by Claudiu Popa. + - Issue #23146: Fix mishandling of absolute Windows paths with forward slashes in pathlib.