traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575) 

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
This commit is contained in:
Florian Bruhin 2020-10-06 16:21:56 +02:00 committed by GitHub
parent 2ef5caa58f
commit a8bf44d049
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Lib/test/test_ucn.py
View File

@ -7,6 +7,7 @@ Modified for Python 2.0 by Fredrik Lundh (fredrik@pythonware.com)
"""#" """#"
import ast
import unittest import unittest
import unicodedata import unicodedata
@ -24,7 +25,7 @@ class UnicodeNamesTest(unittest.TestCase):
# Helper that put all \N escapes inside eval'd raw strings, # Helper that put all \N escapes inside eval'd raw strings,
# to make sure this script runs even if the compiler # to make sure this script runs even if the compiler
# chokes on \N escapes # chokes on \N escapes
res = eval(r'"\N{%s}"' % name) res = ast.literal_eval(r'"\N{%s}"' % name)
self.assertEqual(res, code) self.assertEqual(res, code)
return res return res