[ python-Bugs-1722239 ] NamedTuple security issue

SourceForge.net noreply at sourceforge.net
Mon May 21 10:25:51 CEST 2007


Bugs item #1722239, was opened at 2007-05-20 13:00
Message generated for change (Comment added) made by rhettinger
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1722239&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.6
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Christian Heimes (tiran)
Assigned to: Raymond Hettinger (rhettinger)
Summary: NamedTuple security issue

Initial Comment:
collections.NamedTuple is using an assert to prevent exec attacks:

assert ''.join(field_names).replace('_', '').isalpha()     
# protect against exec attack
s

asserts are ignored when Python code is run with the -O or -OO flag. I suggest to replace them.



----------------------------------------------------------------------

>Comment By: Raymond Hettinger (rhettinger)
Date: 2007-05-21 03:25

Message:
Logged In: YES 
user_id=80475
Originator: NO

Fixed.  See revision:   55487


----------------------------------------------------------------------

Comment By: Raymond Hettinger (rhettinger)
Date: 2007-05-21 00:39

Message:
Logged In: YES 
user_id=80475
Originator: NO

Will replace the assertion with something that always executes.


----------------------------------------------------------------------

Comment By: Christian Heimes (tiran)
Date: 2007-05-20 15:40

Message:
Logged In: YES 
user_id=560817
Originator: YES

It's less than a ton (how do I weight source code? *g*) but it's used in
some modules. Personally I don't like the usage of exec/execfile and I'm
always worried when I see code that utilizes it. I've created a patch that
checks typename and field_names for non alphanumeric characters.

Bastion.py:    exec testcode
bdb.py:                exec cmd in globals, locals
cgi.py:            exec "testing print_exception() -- <I>italics?</I>"
code.py:            exec code in self.locals
collections.py:    exec template in m
cProfile.py:            exec cmd in globals, locals
doctest.py:                exec compile(example.source, filename,
"single",
hashlib.py:            exec funcName + ' = f'
hashlib.py:                exec funcName + ' =
__get_builtin_constructor(funcName)'
ihooks.py:            exec code in m.__dict__
imputil.py:                exec code in module.__dict__
pdb.py:            exec code in globals, locals
profile.py:            exec cmd in globals, locals
rexec.py:        exec TEMPLATE % (m, m)
rexec.py:        exec code in m.__dict__
runpy.py:    exec code in run_globals
site.py:                exec line
socket.py:        exec _s % (_m, _m, _m, _m)
timeit.py:            exec code in globals(), ns
timeit.py:                    exec _setup in globals(), ns
trace.py:            exec cmd in dict, dict
trace.py:            exec cmd in globals, locals


File Added: NamedTuple_55472.diff

----------------------------------------------------------------------

Comment By: Brett Cannon (bcannon)
Date: 2007-05-20 14:23

Message:
Logged In: YES 
user_id=357491
Originator: NO

Or you could just not have the security protection in there.  I am sure
there are a ton of other places that are not protected against malicious
use of exec.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1722239&group_id=5470


More information about the Python-bugs-list mailing list