From 3e4c2b7e8c7b3358597a0d484fa98f45483ee92a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Krier?= Date: Mon, 29 Sep 2014 17:23:37 +0200 Subject: [PATCH] Prevent double underscore in safe_eval CVE-2014-6633 issue4155 review5601002 --- CHANGELOG | 1 + trytond/tests/test_tools.py | 2 +- trytond/tools/misc.py | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 230f4605a..2958dd0d9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,4 @@ +* Prevent double underscore in safe_eval (CVE-2014-6633) * Add pre-validation on button * Model and Field access checked only if _check_access is set * Add check_access to RPC diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py index 59393adf3..3a5c3ad4c 100644 --- a/trytond/tests/test_tools.py +++ b/trytond/tests/test_tools.py @@ -64,7 +64,7 @@ def test0060safe_eval_builtin(self): def test0061safe_eval_getattr(self): 'Attempt to get arround direct attr access' - self.assertRaises(NameError, safe_eval, "getattr(int, '__abs__')") + self.assertRaises(NameError, safe_eval, "getattr(int, 'real')") def test0062safe_eval_func_globals(self): 'Attempt to access global enviroment where fun was defined' diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py index 481d2169a..ebe7c6620 100644 --- a/trytond/tools/misc.py +++ b/trytond/tools/misc.py @@ -369,8 +369,8 @@ def _compile_source(source): def safe_eval(source, data=None): - if '__subclasses__' in source: - raise ValueError('__subclasses__ not allowed') + if '__' in source: + raise ValueError('Double underscores not allowed') comp = _compile_source(source) return eval(comp, {'__builtins__': {