[issue18317] gettext: DoS via crafted Plural-Forms

2016-11-08 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: The DoS as well as other flaws is fixed in issue28563 by implementing a complete parser for GNU gettext plural form expressions. -- nosy: +serhiy.storchaka resolution: -> fixed stage: test needed -> resolved status: open -> closed superseder: ->

[issue18317] gettext: DoS via crafted Plural-Forms

2016-09-08 Thread Christian Heimes
Changes by Christian Heimes : -- versions: +Python 3.5, Python 3.6, Python 3.7 -Python 3.2, Python 3.3 ___ Python tracker ___

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-28 Thread Antoine Pitrou
Antoine Pitrou added the comment: I would rather ask: why do we eval() MO files? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18317 ___ ___

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-28 Thread Christian Heimes
Christian Heimes added the comment: We don't eval() the whole MO file. It's just the pluralization formula, http://www.gnu.org/software/gettext/manual/gettext.html#index-nplurals_0040r_007b_002c-in-a-PO-file-header_007d-1093 The patch uses ast.NodeVisitor to look for dangerous code.

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-28 Thread Jakub Wilk
Jakub Wilk added the comment: Making token filtering more thorough may be simpler that going through AST. I think Python should accept all the operators that GNU gettext accepts: http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y?id=v0.18.2.1#n132 --

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-28 Thread Christian Heimes
Christian Heimes added the comment: Thanks for the link plural.y! I was looking for a C file, not a YACC file. The AST approach has advantages over tokenizing. The tokenizer returns just symbols but the AST has also context information. It makes it much easier to distinguish between unary -

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Jakub Wilk
New submission from Jakub Wilk: It is possible to craft a MO file with Plural-Forms taking arbitrary amounts of CPU and memory to evaluate. A test case is attached. I realize that opening unstrusted MO files is a rather unusual use case, but the module already contains some code to protect

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Jakub Wilk
Changes by Jakub Wilk jw...@jwilk.net: Added file: http://bugs.python.org/file30716/testcase.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18317 ___

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Christian Heimes
Christian Heimes added the comment: Thanks, can you please provide the PO file, too? Or did you construct the MO file manually? -- nosy: +christian.heimes stage: - test needed versions: +Python 2.7, Python 3.2, Python 3.3, Python 3.4 ___ Python

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Christian Heimes
Changes by Christian Heimes li...@cheimes.de: -- nosy: +loewis, pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18317 ___ ___

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Christian Heimes
Christian Heimes added the comment: Ah, I see what you are doing. Nice catch! Plural-Forms: nplurals=0; plural=42**42**42; The plural form gets parsed by gettext.c2py() and eventually turned into a lambda that executes int(42**42**42). Perhaps a custom AST visitor could be used to filter out

[issue18317] gettext: DoS via crafted Plural-Forms

2013-06-27 Thread Benjamin Peterson
Benjamin Peterson added the comment: Why do we have support for untrusted MO files? -- nosy: +benjamin.peterson ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18317 ___