[reportlab-users] Fix for CVE-2019-17626 python-reportlab
Robin Becker
robin at reportlab.com
Tue Dec 10 11:28:50 EST 2019
Hi, it's true we have attempted to address CVE-2019-17626 and other uses of eval
in the reportlab code.
The first attempt failed. I failed to understand that removing __builtins__ from the
globals passed in just made eval/exec put it back so that nothing really changed.
I think that can be addressed by adding in a dummy __builtins__ and experiments show
that at least the simple hole is closed. So that
toColor('open("/tmp/dumbo.txt","wb").write("bah!")')
does not create any file.
On the other hand the current rather simplistic attempt at safety by looking at the globals
in the module where safer_globals is called may not be safe enough.
I'll try and commit some code tomorrow to address the main problem.
On 09/12/2019 14:39, Riccardo Schirone wrote:
> Hi,
>
> Sorry for contacting you directly, but I already tried on the
> reportlab-users at lists2.reportlab.com mailing list and got no reply.
>
> I came across CVE-2019-17626 in python-reportlab[1], but I see no fix for it.
> There is actually a commit that seems to try to solve the issue, but it does
> not. Is there any other fix for that flaw?
>
> Thanks a lot,
>
> [1] https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
>
--
Robin Becker
More information about the reportlab-users
mailing list