8000 bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests by serhiy-storchaka · Pull Request #22566 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests #22566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 6, 2020
Merged

bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests #22566

merged 2 commits into from
Oct 6, 2020

Conversation

serhiy-storchaka
Copy link
Member
@serhiy-storchaka serhiy-storchaka commented Oct 5, 2020
edited by bedevere-bot
Loading

@serhiy-storchaka serhiy-storchaka added tests Tests in the Lib/test dir type-security A security issue needs backport to 3.8 needs backport to 3.9 only security fixes labels Oct 5, 2020
vstinner
vstinner reviewed Oct 6, 2020
View reviewed changes
Lib/test/multibytecodec_support.py Outdated
elif csetval >= 0x100:
csetch = bytes([(csetval >> 8), (csetval & 0xff)])
else:
assert data[0][:2] == '0x'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest something like:

if not data[0].startswith('0x'):
    self.fail(f"Invalid line: {line!r}")

vstinner
vstinner approved these changes Oct 6, 2020
View reviewed changes
Copy link
Member
@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Tests still 8000 pass with this change:

grep -l multibytecodec_support Lib/test/*py > tests
./python -m test -u all --fromfile=tests -j0 -v

@The-Compiler The-Compiler mentioned this pull request Oct 6, 2020
Merged
@serhiy-storchaka serhiy-storchaka merged commit 2ef5caa into python:master Oct 6, 2020
@miss-islington
Copy link
Contributor

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9.
🐍🍒⛏🤖

@serhiy-storchaka serhiy-storchaka deleted the test-multibytecodec_support-eval branch October 6, 2020 12:14
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 6, 2020
@serhiy-storchaka @miss-islington
bpo-41944: No longer call eval() on content received via HTTP in the …
1764a7e 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-bot
Copy link

GH-22576 is a backport of this pull reque 8000 st to the 3.9 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Oct 6, 2020
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 6, 2020
@serhiy-storchaka @miss-islington
bpo-41944: No longer call eval() on content received via HTTP in the …
18077b9 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-bot
Copy link

GH-22577 is a backport of this pull request to the 3.8 branch.

miss-islington added a commit that referenced this pull request Oct 6, 2020
@miss-islington @serhiy-storchaka
bpo-41944: No longer call eval() on content received via HTTP in the …
b664a1d 
…CJK codec tests (GH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@miss-islington
Copy link
Contributor
< 8000 /h3>

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒⛏🤖

@miss-islington
Copy link
Contributor

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-22578 is a backport of this pull request to the 3.7 branch.

@bedevere-bot
Copy link

GH-22579 is a backport of this pull request to the 3.6 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request 8000 Oct 6, 2020
@serhiy-storchaka @miss-islington
bpo-41944: No longer call eval() on content received via HTTP in the …
db0cf34 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 6, 2020
@serhiy-storchaka @miss-islington
bpo-41944: No longer call eval() on content received via HTTP in the …
7577b2d 
…CJK codec tests (pythonGH-22566)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
vstinner pushed a commit that referenced this pull request Oct 6, 2020
@miss-islington @serhiy-storchaka
bpo-41944: No longer call eval() on content received via HTTP in the …
6c6c256 
…CJK codec tests (GH-22566) (GH-22577)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
vstinner pushed a commit that referenced this pull request Oct 6, 2020
@The-Compiler
bpo-41944: No longer call eval() on content received via HTTP in the …
a8bf44d 
…UnicodeNames tests (GH-22575)

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
shihai1991 added a commit to shihai1991/cpython that referenced this pull request Oct 9, 2020
@shihai1991
Merge remote-tracking branch 'origin/master' into bpo_39337_new_2
a69eef8 
* origin/master: (147 commits)
  Fix the attribute names in the docstring of GenericAlias (pythonGH-22594)
  bpo-39337: Add a test case for normalizing of codec names (pythonGH-19069)
  bpo-41557: Update Windows installer to use SQLite 3.33.0 (pythonGH-21960)
  bpo-41976: Fix the fallback to gcc of ctypes.util.find_library when using gcc>9 (pythonGH-22598)
  bpo-41306: Allow scale value to not be rounded (pythonGH-21715)
  bpo-41970: Avoid test failure in test_lib2to3 if the module is already imported (pythonGH-22595)
  bpo-41376: Fix the documentation of `site.getusersitepackages()` (pythonGH-21602)
  Revert "bpo-26680: Incorporate is_integer in all built-in and standard library numeric types (pythonGH-6121)" (pythonGH-22584)
  bpo-41923: PEP 613: Add TypeAlias to typing module (python#22532)
  Fix comment about PyObject_IsTrue. (pythonGH-22343)
  bpo-38605: Make 'from __future__ import annotations' the default (pythonGH-20434)
  bpo-41905: Add abc.update_abstractmethods() (pythonGH-22485)
  bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (pythonGH-22575)
  bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (pythonGH-22566)
  Post 3.10.0a1
  Python 3.10.0a1
  bpo-41584: clarify when the reflected method of a binary arithemtic operator is called (python#22505)
  bpo-41939: Fix test_site.test_license_exists_at_url() (python#22559)
  bpo-41774: Tweak new programming FAQ entry (pythonGH-22562)
  bpo-41936. Remove macros Py_ALLOW_RECURSION/Py_END_ALLOW_RECURSION (pythonGH-22552)
  ...
xzy3 pushed a commit to xzy3/cpython that referenced this pull request Oct 18, 2020
@serhiy-storchaka
bpo-41944: No longer call eval() on content received via HTTP in the …
ede0d6c 
…CJK codec tests (pythonGH-22566)
xzy3 pushed a commit to xzy3/cpython that referenced this pull request Oct 18, 2020
@The-Compiler
bpo-41944: No longer call eval() on content received via HTTP in the …
77c6bdb 
…UnicodeNames tests (pythonGH-22575)

Similarly to pythonGH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
ned-deily pushed a commit that referenced this pull request Oct 20, 2020
@miss-islington @serhiy-storchaka
bpo-41944: No longer call eval() on content received via HTTP in the …
43e5231 
…CJK codec tests (GH-22566) (GH-22578)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ned-deily pushed a commit that referenced this pull request Oct 20, 2020
@miss-islington @serhiy-storchaka
bpo-41944: No longer call eval() on content received via HTTP in the …
e912e94 
…CJK codec tests (GH-22566) (GH-22579)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@ucodery ucodery mentioned this pull request Nov 10, 2020
Merged
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull request Dec 14, 2020
@miss-islington @mgorny
bpo-41944: No longer call eval() on content received via HTTP in the … 85CF
6a6c424 
…CJK codec tests (pythonGH-22566) (pythonGH-22579)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
@serhiy-storchaka serhiy-storchaka mentioned this pull request Apr 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
tests Tests in the Lib/test dir type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@serhiy-storchaka @miss-islington @bedevere-bot @vstinner @the-knights-who-say-ni
0