[reportlab-users] ReportLab 3.6.13 - security fix

Andy Robinson andy at reportlab.com
Thu Apr 27 09:31:57 EDT 2023


Version 3.6.13 of reportlab, and its commercial counterpart, rlextra - have
been released.

These fix a potential security vulnerability in the parsing of colours.
Previously, Iif someone had coded an application allowing user-input
expressions to be passed to our toColor constructor function, there was a
way to execute inappropriate code.  If you are doing this, please upgrade
to the newest version.

If, however, there are no external inputs and colours are set by you in
code (or validated to be simple and reasonable expressions), there is no
vulnerability.

Thanks for Elyas Damej of https://cure53.de/ for devising an ingenious
exploit, and reporting it to us first!

Best Regards

-- 
Andy Robinson
Managing Director, ReportLab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20230427/05790790/attachment.htm>


More information about the reportlab-users mailing list