Skip Menu |
 

This queue is for tickets about the Python-Serialise-Pickle CPAN distribution.

Report information
The Basics
Id: 32114
Status: new
Priority: 0/
Queue: Python-Serialise-Pickle

People
Owner: Nobody in particular
Requestors: hjp [...] hjp.at
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.01
Fixed in: (no value)



Subject: arbitrary code execution in parsing of "repr-style" strings
Download (untitled) / with headers
text/plain 995b
The _get_string method which handles opcode 'S' (STRING) uses the eval function to evaluate the string without performing adequate sanitization first. The attached test case returns: ./t/08strings_unsafe......1/3 # Failed test at ./t/08strings_unsafe.t line 13. # got: '0.479425538604203' # expected: '@{[sin(0.5)]}' # Looks like you failed 1 test of 3. ./t/08strings_unsafe...... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/3 subtests Test Summary Report ------------------- ./t/08strings_unsafe.t (Wstat: 256 Tests: 3 Failed: 1) Failed test number(s): 3 Non-zero exit status: 1 Files=1, Tests=3, 0 wallclock secs ( 0.01 usr 0.00 sys + 0.04 cusr 0.00 csys = 0.05 CPU) Result: FAIL As can be seen, the embedded expression sin(0.5) is evaluated - more malicious applications are left as an exercise to the reader. (Note: My (upcoming) patch for bug #20244 will also fix this problem - I just wanted to document this separately because it is more serious)
Subject: strings_unsafe
Download strings_unsafe
application/octet-stream 22b

Message body not shown because it is not plain text.

From: hjp [...] hjp.at
Download (untitled) / with headers
text/plain 287b
On Sun Jan 06 19:33:06 2008, hjp@hjp.at wrote: Show quoted text
> The _get_string method which handles opcode 'S' (STRING) uses the eval > function to evaluate the string without performing adequate sanitization > first. The attached test case returns:
Attaching didn't work as I hoped - second attempt.
Download 08strings_unsafe.t
text/x-perl 223b
#!/usr/bin/perl use warnings; use strict; use Test::More tests => 3; use_ok('Python::Serialise::Pickle'); ok(my $ps = Python::Serialise::Pickle->new('t/strings_unsafe')); my $s = $ps->load(); is($s, '@{[sin(0.5)]}');


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.