STINNER Victor <[email protected]> added the comment:
> FWIW I found another place where a similar thing is done, though by chance
> it's probably not exploitable - see GH-22575.
I agree that test_ucn is not exploitable, but it would be nice to harden it
anyway.
Extract of the code:
self.assertEqual(unicodedata.lookup(seqname), codepoints)
with self.assertRaises(SyntaxError):
self.checkletter(seqname, None)
test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt
and calls checkletter() on each line, but first it ensures that
unicodedata.lookup(seqname) works as expected.
I don't see how it would be possible to inject arbitrary Python code in the
'seqname' variable without making unicodedata.lookup() to fail.
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue41944>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
