[reportlab-users] Fix for CVE-2019-17626 python-reportlab

Robin Becker robin at reportlab.com
Tue Jan 14 08:20:41 EST 2020

I made an effort to close the hole in reportlab.lib.colors.toColor and it seems to work mostly. I'm sure there is a way 
for really creative python hackers to break out of the restricted python eval which I have borrowed from Zope and 
others. At the start I thought it would be simple, but avoiding simple things like ' '*(10**200) seems quite difficult.

On 11/12/2019 18:33, Tim Roberts wrote:
> Marius Gedminas wrote:
>> Unfortunately clearing __builtins__ is not enough to make eval() safe:
>> https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
>> Usually ast.literal_eval() is the best safe replacement if all you need
>> is ints/floats/tuples/lists.
> It's also worth pointing out that most Python expressions are valid JSON objects.  If your code has a JSON parser, you 
> may be able to reuse that.
Robin Becker

More information about the reportlab-users mailing list