upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-23 00:00:51 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix python examples/calc.py for eval, reported by X41 D-Sec.

Browse source
This commit is contained in:
W.C.A. Wijngaards 2019-11-20 15:07:09 +01:00
parent da4d6ffee3
commit 8833d44d01
2 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/Changelog
View file

@ -38,6 +38,7 @@
- Fix NULL Pointer Dereference via Control Port, - Fix NULL Pointer Dereference via Control Port,
reported by X41 D-Sec. reported by X41 D-Sec.
- Fix Bad Randomness in Seed, reported by X41 D-Sec. - Fix Bad Randomness in Seed, reported by X41 D-Sec.
- Fix python examples/calc.py for eval, reported by X41 D-Sec.
19 November 2019: Wouter 19 November 2019: Wouter
- Fix CVE-2019-18934, shell execution in ipsecmod. - Fix CVE-2019-18934, shell execution in ipsecmod.

8
pythonmod/examples/calc.py
View file

@ -45,9 +45,13 @@ def operate(id, event, qstate, qdata):
if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS): if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
if qstate.qinfo.qname_str.endswith("._calc_.cz."): if qstate.qinfo.qname_str.endswith("._calc_.cz.") and not ("__" in qstate.qinfo.qname_str):
try: try:
res = eval(''.join(qstate.qinfo.qname_list[0:-3])) # the second and third argument to eval attempt to restrict
# functions and variables available to stop code execution
# but it may not be safe either. This is why __ substrings
# are excluded from evaluation.
res = eval(''.join(qstate.qinfo.qname_list[0:-3]),{"__builtins__":None},{})
except: except:
res = "exception" res = "exception"