the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files

[izi]

BPO	13301
Nosy	@warsaw, @birkenfeld, @benjaminp, @ezio-melotti, @merwok, @akheron, @serhiy-storchaka
Files	msgfmt.py.diff: Patch that replaces the eval() call msgfmt.py.diff.update1.diff: Handle unescaped quote at the beginning of the string msgfmt_literal_eval.patch: Use the literal_eval, Luke!

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/ezio-melotti'
closed_at = <Date 2012-11-09.10:53:39.828>
created_at = <Date 2011-10-31.09:18:15.563>
labels = ['type-security']
title = 'the script Tools/i18n/msgfmt.py allows arbitrary code execution via po files'
updated_at = <Date 2012-11-09.10:53:39.827>
user = 'https://bugs.python.org/izi'

bugs.python.org fields:

activity = <Date 2012-11-09.10:53:39.827>
actor = 'ezio.melotti'
assignee = 'ezio.melotti'
closed = True
closed_date = <Date 2012-11-09.10:53:39.828>
closer = 'ezio.melotti'
components = ['Demos and Tools']
creation = <Date 2011-10-31.09:18:15.563>
creator = 'izi'
dependencies = []
files = ['23566', '23567', '27832']
hgrepos = []
issue_num = 13301
keywords = ['patch']
message_count = 8.0
messages = ['146678', '146680', '146681', '146683', '173202', '174470', '175219', '175220']
nosy_count = 9.0
nosy_names = ['barry', 'georg.brandl', 'benjamin.peterson', 'ezio.melotti', 'eric.araujo', 'python-dev', 'petri.lehtinen', 'izi', 'serhiy.storchaka']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue13301'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']

[izi]

Hi,

I'm the author of the polib python module, incidentally (after a bug report in polib: https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote) I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code execution, someone could create a malicious po entry like this:

msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")

As this is an "internal tool" used by developers, maybe it is not very important, but given that people may reuse this script for generating mo files, I think this needs to be fixed, I'm adding a patch for this issue.

Regards,

--
David

[birkenfeld]

This should be fixed; the patch doesn't seem correct though, it doesn't handle escapes like eval() would.

[izi]

I'm adding an updated patch that also handles unescaped double quote at the beginning of the string.

[izi]

Hmm, I missed your previous message, indeed, unescaping is not handled by this patch, sorry about that. Here's how it is handled in polib:
https://bitbucket.org/izi/polib/src/dbafdc621bf4/polib.py#cl-206

[serhiy-storchaka]

The patch does not unquote strings ("spam\n" is interpreted as r"spam\n") and allows invalid entry such as "\\" or boo.

[serhiy-storchaka]

Here is a more simpler patch. Please approve, it's a really trivial patch.

[python-dev]

New changeset 058ff991bdcb by Ezio Melotti in branch '2.7':
bpo-13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/058ff991bdcb

New changeset 2fa338374719 by Ezio Melotti in branch '3.2':
bpo-13301: use ast.literal_eval() instead of eval() in Tools/i18n/msgfmt.py. Patch by Serhiy Storchaka.
http://hg.python.org/cpython/rev/2fa338374719

New changeset ea2cb9b69fd9 by Ezio Melotti in branch '3.3':
bpo-13301: merge with 3.2.
http://hg.python.org/cpython/rev/ea2cb9b69fd9

New changeset aa02f7be68f6 by Ezio Melotti in branch 'default':
bpo-13301: merge with 3.3.
http://hg.python.org/cpython/rev/aa02f7be68f6

[ezio-melotti]

Fixed, thanks for the patch!