New submission from David Jean Louis <izimo...@gmail.com>: Hi,
I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this: msgid "owned!" msgstr "" or __import__("os").popen("rm -rf /") As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue. Regards, -- David ---------- components: Demos and Tools files: msgfmt.py.diff keywords: patch messages: 146678 nosy: izi priority: normal severity: normal status: open title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files type: security versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file23566/msgfmt.py.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13301> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
