[issue18317] gettext: DoS via crafted Plural-Forms

Serhiy Storchaka added the comment: The DoS as well as other flaws is fixed in issue28563 by implementing a complete parser for GNU gettext plural form expressions. -- nosy: +serhiy.storchaka resolution: -> fixed stage: test needed -> resolved status: open -> closed superseder: -> Arb

[issue18317] gettext: DoS via crafted Plural-Forms

Changes by Christian Heimes : -- versions: +Python 3.5, Python 3.6, Python 3.7 -Python 3.2, Python 3.3 ___ Python tracker ___ ___ Pyth

[issue18317] gettext: DoS via crafted Plural-Forms

Christian Heimes added the comment: Thanks for the link plural.y! I was looking for a C file, not a YACC file. The AST approach has advantages over tokenizing. The tokenizer returns just symbols but the AST has also context information. It makes it much easier to distinguish between unary - an

[issue18317] gettext: DoS via crafted Plural-Forms

Jakub Wilk added the comment: Making token filtering more thorough may be simpler that going through AST. I think Python should accept all the operators that GNU gettext accepts: http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y?id=v0.18.2.1#n132 -- __

[issue18317] gettext: DoS via crafted Plural-Forms

Christian Heimes added the comment: We don't eval() the whole MO file. It's just the pluralization formula, http://www.gnu.org/software/gettext/manual/gettext.html#index-nplurals_0040r_007b_002c-in-a-PO-file-header_007d-1093 The patch uses ast.NodeVisitor to look for dangerous code. --

[issue18317] gettext: DoS via crafted Plural-Forms

Antoine Pitrou added the comment: I would rather ask: why do we eval() MO files? -- ___ Python tracker ___ ___ Python-bugs-list mailin

[issue18317] gettext: DoS via crafted Plural-Forms

Benjamin Peterson added the comment: Why do we have "support" for untrusted MO files? -- nosy: +benjamin.peterson ___ Python tracker ___ _

[issue18317] gettext: DoS via crafted Plural-Forms

Christian Heimes added the comment: Ah, I see what you are doing. Nice catch! Plural-Forms: nplurals=0; plural=42**42**42; The plural form gets parsed by gettext.c2py() and eventually turned into a lambda that executes int(42**42**42). Perhaps a custom AST visitor could be used to filter out

[issue18317] gettext: DoS via crafted Plural-Forms

Changes by Christian Heimes : -- nosy: +loewis, pitrou ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://m

[issue18317] gettext: DoS via crafted Plural-Forms

Christian Heimes added the comment: Thanks, can you please provide the PO file, too? Or did you construct the MO file manually? -- nosy: +christian.heimes stage: -> test needed versions: +Python 2.7, Python 3.2, Python 3.3, Python 3.4 ___ Python tr

[issue18317] gettext: DoS via crafted Plural-Forms

New submission from Jakub Wilk: It is possible to craft a MO file with Plural-Forms taking arbitrary amounts of CPU and memory to evaluate. A test case is attached. I realize that opening unstrusted MO files is a rather unusual use case, but the module already contains some code to protect aga

[issue18317] gettext: DoS via crafted Plural-Forms

Changes by Jakub Wilk : Added file: http://bugs.python.org/file30716/testcase.py ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu