Use literal_eval instead of safe_eval whenever possible

CVE-2014-6633 issue4155 review10521002
tryton · Sep 29, 2014 · 19fc2a0 · 19fc2a0
1 parent 3e4c2b7
commit 19fc2a0
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 11 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,4 @@
+* Use literal_eval instead of safe_eval (CVE-2014-6633)
 * Prevent double underscore in safe_eval (CVE-2014-6633)
 * Add pre-validation on button
 * Model and Field access checked only if _check_access is set

diff --git a/trytond/ir/cron.py b/trytond/ir/cron.py
@@ -7,9 +7,10 @@
 import logging
 from email.mime.text import MIMEText
 from email.header import Header
+from ast import literal_eval
 
 from ..model import ModelView, ModelSQL, fields
-from ..tools import safe_eval, get_smtp_server
+from ..tools import get_smtp_server
 from ..transaction import Transaction
 from ..pool import Pool
 from .. import backend
@@ -156,7 +157,7 @@ def _callback(cls, cron):
         pool = Pool()
         Config = pool.get('ir.configuration')
         try:
-            args = (cron.args or []) and safe_eval(cron.args)
+            args = (cron.args or []) and literal_eval(cron.args)
             Model = pool.get(cron.model)
             with Transaction().set_user(cron.user.id):
                 getattr(Model, cron.function)(*args)

diff --git a/trytond/ir/lang.py b/trytond/ir/lang.py
@@ -2,10 +2,11 @@
 #this repository contains the full copyright notices and license terms.
 import datetime
 import warnings
+from ast import literal_eval
 
 from ..model import ModelView, ModelSQL, fields
 from ..cache import Cache
-from ..tools import safe_eval, datetime_strftime
+from ..tools import datetime_strftime
 from ..transaction import Transaction
 from ..pool import Pool
 from .time_locale import TIME_LOCALE
@@ -135,7 +136,7 @@ def check_grouping(cls, langs):
         '''
         for lang in langs:
             try:
-                grouping = safe_eval(lang.grouping)
+                grouping = literal_eval(lang.grouping)
                 for i in grouping:
                     if not isinstance(i, int):
                         raise
@@ -257,10 +258,10 @@ def _grouping_intervals(grouping):
 
         if monetary:
             thousands_sep = monetary.mon_thousands_sep
-            grouping = safe_eval(monetary.mon_grouping)
+            grouping = literal_eval(monetary.mon_grouping)
         else:
             thousands_sep = lang.thousands_sep
-            grouping = safe_eval(lang.grouping)
+            grouping = literal_eval(lang.grouping)
         if not grouping:
             return (s, 0)
         if s[-1] == ' ':

diff --git a/trytond/res/user.py b/trytond/res/user.py
@@ -9,6 +9,8 @@
 import datetime
 from itertools import groupby, ifilter
 from operator import attrgetter
+from ast import literal_eval
+
 from sql import Literal
 from sql.conditionals import Coalesce
 from sql.aggregate import Count
@@ -21,7 +23,7 @@
 
 from ..model import ModelView, ModelSQL, fields
 from ..wizard import Wizard, StateView, Button, StateTransition
-from ..tools import safe_eval, grouped_slice
+from ..tools import grouped_slice
 from .. import backend
 from ..transaction import Transaction
 from ..cache import Cache
@@ -341,7 +343,7 @@ def _get_preferences(cls, user, context_only=False):
                 date = date.replace(i, j)
             res['locale'] = {
                 'date': date,
-                'grouping': safe_eval(user.language.grouping),
+                'grouping': literal_eval(user.language.grouping),
                 'decimal_point': user.language.decimal_point,
                 'thousands_sep': user.language.thousands_sep,
             }

diff --git a/trytond/webdav/webdav.py b/trytond/webdav/webdav.py
@@ -8,12 +8,14 @@
 import encodings
 import uuid
 import datetime
+from ast import literal_eval
+
 from dateutil.relativedelta import relativedelta
 from sql.functions import Extract
 from sql.conditionals import Coalesce
 
 from trytond.model import ModelView, ModelSQL, fields
-from trytond.tools import reduce_ids, safe_eval
+from trytond.tools import reduce_ids
 from trytond.transaction import Transaction
 from trytond.pool import Pool
 from trytond.config import config
@@ -307,7 +309,7 @@ def get_childs(cls, uri, filter=None, cache=None):
                 if not Model:
                     return res
                 models = Model.search(
-                        safe_eval(collection.domain or "[]"))
+                    literal_eval(collection.domain))
                 for child in models:
                     if '/' in child.rec_name:
                         continue
@@ -759,7 +761,7 @@ def get_path(cls, attachments, name):
             model_name = collection.model.model
             Model = pool.get(model_name)
             ids = list(resources[model_name])
-            domain = safe_eval(collection.domain or '[]')
+            domain = literal_eval(collection.domain)
             domain = [domain, ('id', 'in', ids)]
             records = Model.search(domain)
             for record in records: