- Fix python examples/calc.py for eval, reported by X41 D-Sec.

2025-12-20 23:00:56 -05:00 · 2019-11-20 15:07:09 +01:00 · 2019-11-20 15:07:09 +01:00 · 8833d44d01
commit 8833d44d01
parent da4d6ffee3
2 changed files with 7 additions and 2 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -38,6 +38,7 @@
 	- Fix NULL Pointer Dereference via Control Port,
 	  reported by X41 D-Sec.
 	- Fix Bad Randomness in Seed, reported by X41 D-Sec.
+	- Fix python examples/calc.py for eval, reported by X41 D-Sec.

 19 November 2019: Wouter
 	- Fix CVE-2019-18934, shell execution in ipsecmod.
--- a/pythonmod/examples/calc.py
+++ b/pythonmod/examples/calc.py
@ -45,9 +45,13 @@ def operate(id, event, qstate, qdata):

    if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):

-        if qstate.qinfo.qname_str.endswith("._calc_.cz."):
+        if qstate.qinfo.qname_str.endswith("._calc_.cz.") and not ("__" in qstate.qinfo.qname_str):
            try:
-                res = eval(''.join(qstate.qinfo.qname_list[0:-3]))
+                # the second and third argument to eval attempt to restrict
+                # functions and variables available to stop code execution
+                # but it may not be safe either.  This is why __ substrings
+                # are excluded from evaluation.
+                res = eval(''.join(qstate.qinfo.qname_list[0:-3]),{"__builtins__":None},{})
            except:
                res = "exception"