Re: [jokosher-devel] Jokosher Security Vulnerability



John Green wrote:
On Wednesday 27 September 2006 12:49, you wrote:
paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)

We still have to use eval(), but that's much safer right? Is there
anyway to do malicious things with eval()?


Well, I just tried your code with
func = "Move(os.remove('file'), 0.280000)"

and the os.remove got executed, so very probably. Couldn't we just use float(). I know some of the params are ints but is there anywhere where this matters?


I'm leaning towards having CommandManaged sent a function name and a separate list of parameters to the undo stack, which can then be stored in XML in their own tags under the <Command> tag. The XML will also save their type so they can easily be restored without using eval(). We then wouldn't have to parse anything from a string and we would just do:

getattr(self, func)(*listOfParams)

I'll see if there will be any problems with implementing this in CommandManaged later tonight.

Laszlo



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]