On Thu, Jul 26, 2012 at 4:20 AM, vinay.sajip <python-check...@python.org> wrote: > + .. note:: Because portions of the configuration are passed through > + :func:`eval`, use of this function may open its users to a security > risk. > + While the function only binds to a socket on ``localhost``, and so does > + not accept connections from remote machines, there are scenarios where > + untrusted code could be run under the account of the process which > calls > + :func:`listen`. Specifically, if the process calling :func:`listen` > runs > + on a multi-user machine where users cannot trust each other, then a > + malicious user could arrange to run essentially arbitrary code in a > + victim user's process, simply by connecting to the victim's > + :func:`listen` socket and sending a configuration which runs whatever > + code the attacker wants to have executed in the victim's process. This > is > + especially easy to do if the default port is used, but not hard even > if a > + different port is used).
Looking at PEP 391, it appears it should be possible to replace the current use of eval() with a combination of the much safer ast.literal_eval() and the str.format attribute/item access micro-language. Worth exploring for 3.4 (http://bugs.python.org/issue15452), as it would be better to actually try to close this attack vector rather than just documenting that it exists. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
