[reportlab-users] Fix for CVE-2019-17626 python-reportlab

Robin Becker robin at reportlab.com
Tue Dec 10 11:28:50 EST 2019


Hi, it's true we have attempted to address CVE-2019-17626 and other uses of eval
in the reportlab code.

The first attempt failed. I failed to understand that removing __builtins__ from the
globals passed in just made eval/exec put it back so that nothing really changed.

I think that can be addressed by adding in a dummy __builtins__ and experiments show
that at least the simple hole is closed. So that

toColor('open("/tmp/dumbo.txt","wb").write("bah!")')

does not create any file.

On the other hand the current rather simplistic attempt at safety by looking at the globals
in the module where safer_globals is called may not be safe enough.

I'll try and commit some code tomorrow to address the main problem.



On 09/12/2019 14:39, Riccardo Schirone wrote:
> Hi,
> 
> Sorry for contacting you directly, but I already tried on the
> reportlab-users at lists2.reportlab.com mailing list and got no reply.
> 
> I came across CVE-2019-17626 in python-reportlab[1], but I see no fix for it.
> There is actually a commit that seems to try to solve the issue, but it does
> not. Is there any other fix for that flaw?
> 
> Thanks a lot,
> 
> [1] https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
> 


-- 
Robin Becker


More information about the reportlab-users mailing list