New submission from MarkBaggett :
I know there are multiple warnings about the use of eval() in the listener. But
_resolve() and resolve() used by both fileConfig and dictConfig also seem like
they can also be abused. Here is a working example.
$ ls /tmp/itworked
ls: cannot access '
MarkBaggett added the comment:
Here are the relevant parts of calculator.py..
import logging
import logging.config
import json
import pathlib
import os
config_location = pathlib.Path( os.path.realpath(__file__) ).parent /
"log.config"
log_config = json.load( config_loc
MarkBaggett added the comment:
"Dont load untrusted config files" is the answer I expected. It the only safe
answer really. But is there really a mechanism to provide trust of an external
config file other that file permissions? It doesn't seem like hmac or digital
signatur
MarkBaggett added the comment:
Let me also mention that the problem really includes anything that uses the
resolve() functions. Here is a working example that puts an exploit in a
HANDLER rather than a FORMATTER.
$ ls /tmp/alsoworked
ls: cannot access '/tmp/alsoworked': No su
