[reportlab-users] Fix for CVE-2019-17626 python-reportlab

Robin Becker robin at reportlab.com
Tue Dec 10 11:28:50 EST 2019

Hi, it's true we have attempted to address CVE-2019-17626 and other uses of eval
in the reportlab code.

The first attempt failed. I failed to understand that removing __builtins__ from the
globals passed in just made eval/exec put it back so that nothing really changed.

I think that can be addressed by adding in a dummy __builtins__ and experiments show
that at least the simple hole is closed. So that


does not create any file.

On the other hand the current rather simplistic attempt at safety by looking at the globals
in the module where safer_globals is called may not be safe enough.

I'll try and commit some code tomorrow to address the main problem.

On 09/12/2019 14:39, Riccardo Schirone wrote:
> Hi,
> Sorry for contacting you directly, but I already tried on the
> reportlab-users at lists2.reportlab.com mailing list and got no reply.
> I came across CVE-2019-17626 in python-reportlab[1], but I see no fix for it.
> There is actually a commit that seems to try to solve the issue, but it does
> not. Is there any other fix for that flaw?
> Thanks a lot,
> [1] https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

Robin Becker

More information about the reportlab-users mailing list