[Python-Dev] [Python-checkins] cpython (3.2): Issue #15445: Updated logging configuration documentation to highlight

[Nick Coghlan]

On Thu, Jul 26, 2012 at 4:20 AM, vinay.sajip <python-checkins at python.org> wrote:
> +   .. note:: Because portions of the configuration are passed through
> +      :func:`eval`, use of this function may open its users to a security risk.
> +      While the function only binds to a socket on ``localhost``, and so does
> +      not accept connections from remote machines, there are scenarios where
> +      untrusted code could be run under the account of the process which calls
> +      :func:`listen`. Specifically, if the process calling :func:`listen` runs
> +      on a multi-user machine where users cannot trust each other, then a
> +      malicious user could arrange to run essentially arbitrary code in a
> +      victim user's process, simply by connecting to the victim's
> +      :func:`listen` socket and sending a configuration which runs whatever
> +      code the attacker wants to have executed in the victim's process. This is
> +      especially easy to do if the default port is used, but not hard even if a
> +      different port is used).

Looking at PEP 391, it appears it should be possible to replace the
current use of eval() with a combination of the much safer
ast.literal_eval() and the str.format attribute/item access
micro-language.

Worth exploring for 3.4 (http://bugs.python.org/issue15452), as it
would be better to actually try to close this attack vector rather
than just documenting that it exists.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia