[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2012-11-09 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 058ff991bdcb by Ezio Melotti in branch '2.7':
#13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py.  
Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/058ff991bdcb

New changeset 2fa338374719 by Ezio Melotti in branch '3.2':
#13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py.  
Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/2fa338374719

New changeset ea2cb9b69fd9 by Ezio Melotti in branch '3.3':
#13301: merge with 3.2.
http://hg.python.org/cpython/rev/ea2cb9b69fd9

New changeset aa02f7be68f6 by Ezio Melotti in branch 'default':
#13301: merge with 3.3.
http://hg.python.org/cpython/rev/aa02f7be68f6

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2012-11-09 Thread Ezio Melotti 

Ezio Melotti added the comment:

Fixed, thanks for the patch!

--
assignee:  - ezio.melotti
resolution:  - fixed
stage: patch review - committed/rejected
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2012-11-01 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

Here is a more simpler patch.  Please approve, it's a really trivial patch.

--
stage: needs patch - patch review
Added file: http://bugs.python.org/file27832/msgfmt_literal_eval.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2012-10-17 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

The patch does not unquote strings (spam\n is interpreted as rspam\n) and 
allows invalid entry such as \\ or boo.

--
nosy: +serhiy.storchaka
stage: patch review - needs patch
versions: +Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread David Jean Louis 

New submission from David Jean Louis izimo...@gmail.com:

Hi, 

I'm the author of the polib python module, incidentally (after a bug report in 
polib: 
https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) 
I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code 
execution, someone could create a malicious po entry like this:

msgid owned!
msgstr  or __import__(os).popen(rm -rf /)

As this is an internal tool used by developers, maybe it is not very 
important, but given that people may reuse this script for generating mo files, 
I think this needs to be fixed, I'm adding a patch for this issue.

Regards,

-- 
David

--
components: Demos and Tools
files: msgfmt.py.diff
keywords: patch
messages: 146678
nosy: izi
priority: normal
severity: normal
status: open
title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po 
files
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23566/msgfmt.py.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread Ezio Melotti 

Changes by Ezio Melotti ezio.melo...@gmail.com:


--
nosy: +barry, benjamin.peterson, ezio.melotti, georg.brandl
stage:  - patch review
versions:  -Python 2.6, Python 3.1, Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread Petri Lehtinen 

Changes by Petri Lehtinen pe...@digip.org:


--
nosy: +petri.lehtinen

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread Georg Brandl 

Georg Brandl ge...@python.org added the comment:

This should be fixed; the patch doesn't seem correct though, it doesn't handle 
escapes like eval() would.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread David Jean Louis 

David Jean Louis izimo...@gmail.com added the comment:

I'm adding an updated patch that also handles unescaped double quote at the 
beginning of the string.

--
versions: +Python 2.6, Python 3.1, Python 3.4
Added file: http://bugs.python.org/file23567/msgfmt.py.diff.update1.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread David Jean Louis 

David Jean Louis izimo...@gmail.com added the comment:

Hmm, I missed your previous message, indeed, unescaping is not handled by this 
patch, sorry about that. Here's how it is handled in polib:
https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

2011-10-31 Thread Éric Araujo 

Changes by Éric Araujo mer...@netwok.org:


--
nosy: +eric.araujo
versions:  -Python 2.6, Python 3.1, Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13301
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com