New submission from Graham Dumpleton <graham.dumple...@gmail.com>: This issue was raised first on secur...@python.org. Guido responded that not sensitive enough to be kept to the list and that okay to log a bug report.
This issue may not warrant any action except perhaps an update to documentation for the logging module to warn about it, but thought that should raise it just in case someone felt it needed actual code changes to be made to avoid the issue if possible. The problem arises in the Python logging modules ability to create a listener socket which can accept new configuration in the ini file format. http://docs.python.org/library/logging.config.html#logging.config.listen """To send a configuration to the socket, read in the configuration file and send it to the socket as a string of bytes preceded by a four-byte length string packed in binary using struct.pack('>L', n).""" This sounds innocuous and the documentation at that point doesn't warn that you are opening yourself up to security problems in using it. You get a hint of potential issues later if one reads later documentation about the file format: """The class entry indicates the handler’s class (as determined by eval() in the logging package’s namespace). The level is interpreted as for loggers, and NOTSET is taken to mean ‘log everything’.""" There are other mentions about eval() in context of log level and args for the handler class as well, but not sure that is used for log level as it says. The combination of the open listener port for configuration and that processing of the configuration file uses eval(), means that one could send a configuration file to the process containing: [handler_consoleHandler] class=os.system('echo security issue') or StreamHandler level=DEBUG formatter=simpleFormatter args=(sys.stdout,) and one could execute an arbitrary command as the user the process runs as. The problem is tempered by the fact that someone has to enable the feature, which is likely rare, but also because socket connections to send new configuration will only be accepted from the same host ('localhost') and the host can not be overridden. So can only be taken advantage of by someone (potentially a different user) on the same host and not remotely at least. The specific code in Python 3.2 is: section = cp["handler_%s" % hand] klass = section["class"] fmt = section.get("formatter", "") try: klass = eval(klass, vars(logging)) except (AttributeError, NameError): klass = _resolve(klass) args = section["args"] args = eval(args, vars(logging)) h = klass(*args) and older Python 2.X versions have similar code. Although you could perhaps avoid need for eval for class lookup, can't see that you could do that for args unless you restrict it to literal values and use a more limited eval like parser. At the minimum there probably should be a warning in the documentation about using the logging module configuration port on untrusted systems with shared users. ---------- components: Library (Lib) messages: 166343 nosy: grahamd priority: normal severity: normal status: open title: Ability to do code injection via logging module configuration listener port. type: security versions: Python 3.2 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue15445> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
