New submission from David Jean Louis :
Hi,
I'm the author of the polib python module, incidentally (after a bug report in
polib:
https://bitbucket.org/izi/polib/issue/27/polib-doesnt-check-unescaped-quote)
I've found that the eval() in Tools/i18n/msgfmt.py allows arbitrary code
execution, someone could create a malicious po entry like this:
msgid "owned!"
msgstr "" or __import__("os").popen("rm -rf /")
As this is an "internal tool" used by developers, maybe it is not very
important, but given that people may reuse this script for generating mo files,
I think this needs to be fixed, I'm adding a patch for this issue.
Regards,
--
David
--
components: Demos and Tools
files: msgfmt.py.diff
keywords: patch
messages: 146678
nosy: izi
priority: normal
severity: normal
status: open
title: the script Tools/i18n/msgfmt.py allows arbitrary code execution via po
files
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23566/msgfmt.py.diff
___
Python tracker
<http://bugs.python.org/issue13301>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
