[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Roundup Robot added the comment: New changeset 058ff991bdcb by Ezio Melotti in branch '2.7': #13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka. http://hg.python.org/cpython/rev/058ff991bdcb New changeset 2fa338374719 by Ezio Melotti in branch '3.2': #13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka. http://hg.python.org/cpython/rev/2fa338374719 New changeset ea2cb9b69fd9 by Ezio Melotti in branch '3.3': #13301: merge with 3.2. http://hg.python.org/cpython/rev/ea2cb9b69fd9 New changeset aa02f7be68f6 by Ezio Melotti in branch 'default': #13301: merge with 3.3. http://hg.python.org/cpython/rev/aa02f7be68f6 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Ezio Melotti added the comment: Fixed, thanks for the patch! -- assignee: - ezio.melotti resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Serhiy Storchaka added the comment: Here is a more simpler patch. Please approve, it's a really trivial patch. -- stage: needs patch - patch review Added file: http://bugs.python.org/file27832/msgfmt_literal_eval.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Serhiy Storchaka added the comment: The patch does not unquote strings (spam\n is interpreted as rspam\n) and allows invalid entry such as \\ or boo. -- nosy: +serhiy.storchaka stage: patch review - needs patch versions: +Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
New submission from David Jean Louis izimo...@gmail.com: Hi, I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this: msgid owned! msgstr or __import__(os).popen(rm -rf /) As this is an internal tool used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue. Regards, -- David -- components: Demos and Tools files: msgfmt.py.diff keywords: patch messages: 146678 nosy: izi priority: normal severity: normal status: open title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files type: security versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file23566/msgfmt.py.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Changes by Ezio Melotti ezio.melo...@gmail.com: -- nosy: +barry, benjamin.peterson, ezio.melotti, georg.brandl stage: - patch review versions: -Python 2.6, Python 3.1, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Changes by Petri Lehtinen pe...@digip.org: -- nosy: +petri.lehtinen ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Georg Brandl ge...@python.org added the comment: This should be fixed; the patch doesn't seem correct though, it doesn't handle escapes like eval() would. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
David Jean Louis izimo...@gmail.com added the comment: I'm adding an updated patch that also handles unescaped double quote at the beginning of the string. -- versions: +Python 2.6, Python 3.1, Python 3.4 Added file: http://bugs.python.org/file23567/msgfmt.py.diff.update1.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
David Jean Louis izimo...@gmail.com added the comment: Hmm, I missed your previous message, indeed, unescaping is not handled by this patch, sorry about that. Here's how it is handled in polib: https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
Changes by Éric Araujo mer...@netwok.org: -- nosy: +eric.araujo versions: -Python 2.6, Python 3.1, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13301 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com