Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb

module. Original patch by Claudiu Popa.
2015-02-16 00:30:43 +02:00 · 2015-02-16 00:30:43 +02:00 · 74eb8b2d1a
parent 57fffd6f99
commit 74eb8b2d1a
3 changed files with 14 additions and 1 deletions
--- a/Lib/dbm/dumb.py
+++ b/Lib/dbm/dumb.py
@ -21,6 +21,7 @@ is read when the database is opened, and some updates rewrite the whole index)

 """

+import ast as _ast
 import io as _io
 import os as _os
 import collections
@ -85,7 +86,7 @@ class _Database(collections.MutableMapping):
            with f:
                for line in f:
                    line = line.rstrip()
-                    key, pos_and_siz_pair = eval(line)
+                    key, pos_and_siz_pair = _ast.literal_eval(line)
                    key = key.encode('Latin-1')
                    self._index[key] = pos_and_siz_pair

--- a/Lib/test/test_dbm_dumb.py
+++ b/Lib/test/test_dbm_dumb.py
@ -217,6 +217,15 @@ class DumbDBMTestCase(unittest.TestCase):
            self.assertEqual(str(cm.exception),
                             "DBM object has already been closed")

+    def test_eval(self):
+        with open(_fname + '.dir', 'w') as stream:
+            stream.write("str(print('Hacked!')), 0\n")
+        with support.captured_stdout() as stdout:
+            with self.assertRaises(ValueError):
+                with dumbdbm.open(_fname) as f:
+                    pass
+            self.assertEqual(stdout.getvalue(), '')
+
    def tearDown(self):
        _delete_files()

--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------

+- Issue #22885: Fixed arbitrary code execution vulnerability in the dbm.dumb
+  module.  Original patch by Claudiu Popa.
+
 - Issue #23146: Fix mishandling of absolute Windows paths with forward
  slashes in pathlib.