| Subject: | arbitrary code execution in parsing of "repr-style" strings |
The _get_string method which handles opcode 'S' (STRING) uses the eval
function to evaluate the string without performing adequate sanitization
first. The attached test case returns:
./t/08strings_unsafe......1/3
# Failed test at ./t/08strings_unsafe.t line 13.
# got: '0.479425538604203'
# expected: '@{[sin(0.5)]}'
# Looks like you failed 1 test of 3.
./t/08strings_unsafe...... Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/3 subtests
Test Summary Report
-------------------
./t/08strings_unsafe.t (Wstat: 256 Tests: 3 Failed: 1)
Failed test number(s): 3
Non-zero exit status: 1
Files=1, Tests=3, 0 wallclock secs ( 0.01 usr 0.00 sys + 0.04 cusr
0.00 csys = 0.05 CPU)
Result: FAIL
As can be seen, the embedded expression sin(0.5) is evaluated - more
malicious applications are left as an exercise to the reader.
(Note: My (upcoming) patch for bug #20244 will also fix this problem - I
just wanted to document this separately because it is more serious)
| Subject: | strings_unsafe |
Message body not shown because it is not plain text.