[reportlab-users] Fix for CVE-2019-17626 python-reportlab
Robin Becker
robin at reportlab.com
Tue Jan 14 08:20:41 EST 2020
I made an effort to close the hole in reportlab.lib.colors.toColor and it seems to work mostly. I'm sure there is a way
for really creative python hackers to break out of the restricted python eval which I have borrowed from Zope and
others. At the start I thought it would be simple, but avoiding simple things like ' '*(10**200) seems quite difficult.
On 11/12/2019 18:33, Tim Roberts wrote:
> Marius Gedminas wrote:
>>
>> Unfortunately clearing __builtins__ is not enough to make eval() safe:
>> https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
>>
>> Usually ast.literal_eval() is the best safe replacement if all you need
>> is ints/floats/tuples/lists.
>
> It's also worth pointing out that most Python expressions are valid JSON objects. If your code has a JSON parser, you
> may be able to reuse that.
>
........--
Robin Becker
More information about the reportlab-users
mailing list