[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread Vinay Sajip
Vinay Sajip added the comment: I'm closing with the assumption that the addition to the documentation covers this. If that needs to be improved, this can be reopened with specific suggestions. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed __

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread Vinay Sajip
Vinay Sajip added the comment: New changeset 188fbdee0d6721a948eabb81cdcacac371614793 by Miss Islington (bot) in branch '3.9': [3.9] bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411) (GH-30448) https://github.com/python/cpython/commit/188fbdee0d6721a948eabb81cd

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread Vinay Sajip
Vinay Sajip added the comment: New changeset db60ed1170a02189a4fd4b7574e0722dd22c658b by Miss Islington (bot) in branch '3.10': [3.10] bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411) (GH-30447) https://github.com/python/cpython/commit/db60ed1170a02189a4fd4b75

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread miss-islington
Change by miss-islington : -- nosy: +miss-islington nosy_count: 3.0 -> 4.0 pull_requests: +28652 stage: -> patch review pull_request: https://github.com/python/cpython/pull/30447 ___ Python tracker _

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread Vinay Sajip
Vinay Sajip added the comment: New changeset 46c7a6566bca2e974a89c90c35ed1c498d9d3b02 by Vinay Sajip in branch 'main': bpo-46251: Add 'Security Considerations' section to logging configura… (GH-30411) https://github.com/python/cpython/commit/46c7a6566bca2e974a89c90c35ed1c498d9d3b02

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-06 Thread miss-islington
Change by miss-islington : -- pull_requests: +28653 pull_request: https://github.com/python/cpython/pull/30448 ___ Python tracker ___ __

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-05 Thread Vinay Sajip
Vinay Sajip added the comment: I've created a PR to add a "Security Considerations" section in the configuration documentation. Comments on the PR are welcome. -- stage: patch review -> ___ Python tracker

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-05 Thread Vinay Sajip
Change by Vinay Sajip : -- keywords: +patch pull_requests: +28617 stage: -> patch review pull_request: https://github.com/python/cpython/pull/30411 ___ Python tracker ___

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-04 Thread Vinay Sajip
Vinay Sajip added the comment: > "Dont load untrusted config files" is the answer I expected. Yes. It's the usual convenience vs. security trade-off. To make configuration convenient, configurable factories with configurable parameters are provided. Can this be misused? Of course. Digital s

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-04 Thread Ned Deily
Change by Ned Deily : -- nosy: +vinay.sajip ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pyth

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-04 Thread MarkBaggett
MarkBaggett added the comment: Let me also mention that the problem really includes anything that uses the resolve() functions. Here is a working example that puts an exploit in a HANDLER rather than a FORMATTER. $ ls /tmp/alsoworked ls: cannot access '/tmp/alsoworked': No such file or direc

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread Irit Katriel
Change by Irit Katriel : -- components: +Library (Lib) ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread MarkBaggett
MarkBaggett added the comment: "Dont load untrusted config files" is the answer I expected. It the only safe answer really. But is there really a mechanism to provide trust of an external config file other that file permissions? It doesn't seem like hmac or digital signatures work because yo

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread Eric V. Smith
Eric V. Smith added the comment: Actually, the last line isn't necessary. import logging.config import json log_config_txt = '''{ "version":1, "formatters":{ "EXPLOIT":{ "class": "os.popen", "format": "touch itworked", "datefmt"

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread Eric V. Smith
Eric V. Smith added the comment: Thanks. Here's a somewhat smaller, one-file version, that writes to the current directory (I'm on Windows, no /tmp): - import logging import logging.config import json log_config_txt = '''{ "version":1, "formatters":{ "EXP

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread MarkBaggett
MarkBaggett added the comment: Here are the relevant parts of calculator.py.. import logging import logging.config import json import pathlib import os config_location = pathlib.Path( os.path.realpath(__file__) ).parent / "log.config" log_config = json.load( config_location.open() ) loggin

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread Eric V. Smith
Eric V. Smith added the comment: What are the contents of calculator.py? -- nosy: +eric.smith ___ Python tracker ___ ___ Python-bug

[issue46251] logger.config.configure_formatter executes arbitrary code

2022-01-03 Thread MarkBaggett
New submission from MarkBaggett : I know there are multiple warnings about the use of eval() in the listener. But _resolve() and resolve() used by both fileConfig and dictConfig also seem like they can also be abused. Here is a working example. $ ls /tmp/itworked ls: cannot access '/tmp/itwo