-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
winreg.SetValueEx should check the returned value #88150
Comments
The library winreg[1] can be used to access registry on windows.
In the source file of "PC/winreg.c",
When the type is set with reg.REG_DWORD, In the Objects/longobject.c, as the comment said: /* Get a C unsigned long int from an int object. If PyLong_AsUnsignedLong return -1, the -1 will be stored in the registry though the error occured PoC: import winreg as reg
key = reg.CreateKey(reg.HKEY_CURRENT_USER, 'SOFTWARE\\Classes\\r3pwn') try: try: The Test Environment python winreg_bug.py the return value should be checked:
+ if (d == (unsigned long)-1 && PyErr_Occurred()) [1] https://docs.python.org/3.9/library/winreg.html#winreg.SetValueEx |
+1 on my side. |
I'm changing this issue to a behavior bug. Many issues have the potential to be exploited as a security vulnerability in some contrived scenario, but the security issue type is for cases that have provably significant security implications, such as privilege escalation, which should be reported using the documented procedure [1]. Registry keys are secured, and modifying system keys requires privileged access, so a bug that sets an incorrect value is not particularly exploitable. Anyone that can set a system value already has full control of the system. The suggested fix is correct, except the C macro is --- |
I have a patch ready for this issue. Should I convert it to a PR? |
I'm attaching a PR to fix this issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: