Permalink
Browse files

disable builtins when using eval for reparam to avoid risk for remote…

… code exection. (tx Adrián Brav)
  • Loading branch information...
anandology committed Apr 1, 2014
1 parent d666d65 commit 8fa67f40f212fbfe51aa5493fc377c683eff9925
Showing with 2 additions and 0 deletions.
  1. +2 −0 web/db.py
View
@@ -296,6 +296,8 @@ def reparam(string_, dictionary):
<sql: 's IN (1, 2)'>
"""
dictionary = dictionary.copy() # eval mucks with it
# disable builtins to avoid risk for remote code exection.
dictionary['__builtins__'] = object()
vals = []
result = []
for live, chunk in _interpolate(string_):

0 comments on commit 8fa67f4

Please sign in to comment.