Prevent double underscore in safe_eval

CVE-2014-6633 issue4155 review5601002
tryton · Sep 29, 2014 · 3e4c2b7 · 3e4c2b7
1 parent 0e2db00
commit 3e4c2b7
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,4 @@
+* Prevent double underscore in safe_eval (CVE-2014-6633)
 * Add pre-validation on button
 * Model and Field access checked only if _check_access is set
 * Add check_access to RPC

diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
@@ -64,7 +64,7 @@ def test0060safe_eval_builtin(self):
 
     def test0061safe_eval_getattr(self):
         'Attempt to get arround direct attr access'
-        self.assertRaises(NameError, safe_eval, "getattr(int, '__abs__')")
+        self.assertRaises(NameError, safe_eval, "getattr(int, 'real')")
 
     def test0062safe_eval_func_globals(self):
         'Attempt to access global enviroment where fun was defined'

diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
@@ -369,8 +369,8 @@ def _compile_source(source):
 
 
 def safe_eval(source, data=None):
-    if '__subclasses__' in source:
-        raise ValueError('__subclasses__ not allowed')
+    if '__' in source:
+        raise ValueError('Double underscores not allowed')
 
     comp = _compile_source(source)
     return eval(comp, {'__builtins__': {