[New-bugs-announce] [issue13301] the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
David Jean Louis
report at bugs.python.org
Mon Oct 31 10:18:16 CET 2011
New submission from David Jean Louis <izimobil at gmail.com>:
Hi,
I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this:
msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")
As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue.
Regards,
--
David
----------
components: Demos and Tools
files: msgfmt.py.diff
keywords: patch
messages: 146678
nosy: izi
priority: normal
severity: normal
status: open
title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23566/msgfmt.py.diff
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13301>
_______________________________________
More information about the New-bugs-announce
mailing list