New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to do code injection via logging module configuration listener port. #59650
Comments
This issue was raised first on security@python.org. Guido responded that not sensitive enough to be kept to the list and that okay to log a bug report. This issue may not warrant any action except perhaps an update to The problem arises in the Python logging modules ability to create a http://docs.python.org/library/logging.config.html#logging.config.listen """To send a configuration to the socket, read in the configuration This sounds innocuous and the documentation at that point doesn't warn You get a hint of potential issues later if one reads later """The class entry indicates the handler’s class (as determined by There are other mentions about eval() in context of log level and args The combination of the open listener port for configuration and that [handler_consoleHandler] and one could execute an arbitrary command as the user the process runs as. The problem is tempered by the fact that someone has to enable the The specific code in Python 3.2 is: section = cp["handler_%s" % hand]
klass = section["class"]
fmt = section.get("formatter", "")
try:
klass = eval(klass, vars(logging))
except (AttributeError, NameError):
klass = _resolve(klass)
args = section["args"]
args = eval(args, vars(logging))
h = klass(*args) and older Python 2.X versions have similar code. Although you could perhaps avoid need for eval for class lookup, can't At the minimum there probably should be a warning in the documentation about using the logging module configuration port on untrusted systems with shared users. |
ast.literal_eval() is a good choice for limited evaluation of Python string as it only supports data types like numbers, str, dict etc. but no classes or function calls. |
I think it is sufficient for 2.7, 3.2 and 3.3 to just update the documentation, as Graham says, using "note" markup so that it stands out. I can look at ast.literal_eval as an option for 3.4. |
New changeset f30b49a5072e by Vinay Sajip in branch '2.7': New changeset e5d7d202f2bf by Vinay Sajip in branch '3.2': New changeset 410be02de1c6 by Vinay Sajip in branch 'default': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: