Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests #22575

Merged
merged 1 commit into from
Oct 6, 2020
Merged

bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests #22575

merged 1 commit into from
Oct 6, 2020

Conversation

The-Compiler
Copy link
Contributor

@The-Compiler The-Compiler commented Oct 6, 2020
edited by bedevere-bot
Loading

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.

https://bugs.python.org/issue41944

@The-Compiler
bpo-41944: No longer call eval() on content received via HTTP in the …
fc888ef 
…UnicodeNames tests

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
@bedevere-bot bedevere-bot added tests Tests in the Lib/test dir awaiting review labels Oct 6, 2020
vstinner
vstinner approved these changes Oct 6, 2020
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

The test is still run and still pass:

$ ./python -m test -u all test_ucn -v
(...)
test_named_sequences_full (test.test_ucn.UnicodeNamesTest) ...
    fetching http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt ...
ok
(...)
Tests result: SUCCESS

@vstinner
Copy link
Member

vstinner commented Oct 6, 2020

@serhiy-storchaka or @methane: Would you mind to double check this security vulnerability fix?

serhiy-storchaka
serhiy-storchaka approved these changes Oct 6, 2020
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

literal_eval() is not a "safe eval", but in this case it does not make worse.

@vstinner vstinner merged commit a8bf44d into python:master Oct 6, 2020
@vstinner
Copy link
Member

vstinner commented Oct 6, 2020

I don't think that this change deserves a backport since the vulnerability is not exploitable:
https://bugs.python.org/issue41944#msg378111

shihai1991 added a commit to shihai1991/cpython that referenced this pull request Oct 9, 2020
@shihai1991
Merge remote-tracking branch 'origin/master' into bpo_39337_new_2
a69eef8 
* origin/master: (147 commits)
  Fix the attribute names in the docstring of GenericAlias (pythonGH-22594)
  bpo-39337: Add a test case for normalizing of codec names (pythonGH-19069)
  bpo-41557: Update Windows installer to use SQLite 3.33.0 (pythonGH-21960)
  bpo-41976: Fix the fallback to gcc of ctypes.util.find_library when using gcc>9 (pythonGH-22598)
  bpo-41306: Allow scale value to not be rounded (pythonGH-21715)
  bpo-41970: Avoid test failure in test_lib2to3 if the module is already imported (pythonGH-22595)
  bpo-41376: Fix the documentation of `site.getusersitepackages()` (pythonGH-21602)
  Revert "bpo-26680: Incorporate is_integer in all built-in and standard library numeric types (pythonGH-6121)" (pythonGH-22584)
  bpo-41923: PEP 613: Add TypeAlias to typing module (python#22532)
  Fix comment about PyObject_IsTrue. (pythonGH-22343)
  bpo-38605: Make 'from __future__ import annotations' the default (pythonGH-20434)
  bpo-41905: Add abc.update_abstractmethods() (pythonGH-22485)
  bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (pythonGH-22575)
  bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (pythonGH-22566)
  Post 3.10.0a1
  Python 3.10.0a1
  bpo-41584: clarify when the reflected method of a binary arithemtic operator is called (python#22505)
  bpo-41939: Fix test_site.test_license_exists_at_url() (python#22559)
  bpo-41774: Tweak new programming FAQ entry (pythonGH-22562)
  bpo-41936. Remove macros Py_ALLOW_RECURSION/Py_END_ALLOW_RECURSION (pythonGH-22552)
  ...
xzy3 pushed a commit to xzy3/cpython that referenced this pull request Oct 18, 2020
@The-Compiler
bpo-41944: No longer call eval() on content received via HTTP in the …
77c6bdb 
…UnicodeNames tests (pythonGH-22575)

Similarly to pythonGH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
@serhiy-storchaka serhiy-storchaka mentioned this pull request Apr 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
skip news tests Tests in the Lib/test dir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@The-Compiler @vstinner @serhiy-storchaka @the-knights-who-say-ni @bedevere-bot