From c769040100c3957446acea6efed5c9ad4a552cf2 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Mon, 16 Feb 2015 00:29:52 +0200 Subject: Issue #22885: Fixed arbitrary code execution vulnerability in the dumbdbm module. Original patch by Claudiu Popa. --- Lib/dumbdbm.py | 3 ++- Lib/test/test_dumbdbm.py | 8 ++++++++ Misc/NEWS | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Lib/dumbdbm.py b/Lib/dumbdbm.py index 4a0c3a7..46d543d 100644 --- a/Lib/dumbdbm.py +++ b/Lib/dumbdbm.py @@ -21,6 +21,7 @@ is read when the database is opened, and some updates rewrite the whole index) """ +import ast as _ast import os as _os import __builtin__ import UserDict @@ -85,7 +86,7 @@ class _Database(UserDict.DictMixin): with f: for line in f: line = line.rstrip() - key, pos_and_siz_pair = eval(line) + key, pos_and_siz_pair = _ast.literal_eval(line) self._index[key] = pos_and_siz_pair # Write the index dict to the directory file. The original directory diff --git a/Lib/test/test_dumbdbm.py b/Lib/test/test_dumbdbm.py index 6f5324f..6520efd 100644 --- a/Lib/test/test_dumbdbm.py +++ b/Lib/test/test_dumbdbm.py @@ -160,6 +160,14 @@ class DumbDBMTestCase(unittest.TestCase): self.assertEqual(expected, got) f.close() + def test_eval(self): + with open(_fname + '.dir', 'w') as stream: + stream.write("str(__import__('sys').stdout.write('Hacked!')), 0\n") + with test_support.captured_stdout() as stdout: + with self.assertRaises(ValueError): + dumbdbm.open(_fname).close() + self.assertEqual(stdout.getvalue(), '') + def tearDown(self): _delete_files() diff --git a/Misc/NEWS b/Misc/NEWS index 64ab3e5..5f9c814 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -18,6 +18,9 @@ Core and Builtins Library ------- +- Issue #22885: Fixed arbitrary code execution vulnerability in the dumbdbm + module. Original patch by Claudiu Popa. + - Issue #21849: Fixed xmlrpclib serialization of non-ASCII unicode strings in the multiprocessing module. -- cgit v0.12