[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [jokosher-devel] Jokosher Security Vulnerability

From: Laszlo Pandy <laszlok2 gmail com>
To: John Green <john thegreens co uk>, Jokosher gnome <jokosher-devel-list gnome org>
Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
Date: Wed, 27 Sep 2006 09:02:37 -0400

John Green wrote:

On Wednesday 27 September 2006 12:49, you wrote:
paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)

We still have to use eval(), but that's much safer right? Is there
anyway to do malicious things with eval()?
Well, I just tried your code with
func = "Move(os.remove('file'), 0.280000)"
and the os.remove got executed, so very probably. Couldn't we just usefloat(). I know some of the params are ints but is there anywhere where thismatters?

I'm leaning towards having CommandManaged sent a function name and aseparate list of parameters to the undo stack, which can then be storedin XML in their own tags under the <Command> tag. The XML will also savetheir type so they can easily be restored without using eval(). We thenwouldn't have to parse anything from a string and we would just do:


getattr(self, func)(*listOfParams)

I'll see if there will be any problems with implementing this inCommandManaged later tonight.


Laszlo

References:
- [jokosher-devel] Jokosher Security Vulnerability
  - From: Laszlo Pandy
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: John Green
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: Laszlo Pandy

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]