This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: NamedTuple security issue
Type: Stage:
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: rhettinger Nosy List: brett.cannon, christian.heimes, rhettinger
Priority: normal Keywords:

Created on 2007-05-20 18:00 by christian.heimes, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
NamedTuple_55472.diff christian.heimes, 2007-05-20 20:40 Patch against trunk r55472
Messages (7)
msg32085 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2007-05-20 18:00 
collections.NamedTuple is using an assert to prevent exec attacks:

assert ''.join(field_names).replace('_', '').isalpha()     
# protect against exec attack
s

asserts are ignored when Python code is run with the -O or -OO flag. I suggest to replace them.
msg32086 - (view) Author: Brett Cannon (brett.cannon) * (Python committer) Date: 2007-05-20 19:23 
Or you could just not have the security protection in there.  I am sure there are a ton of other places that are not protected against malicious use of exec.
msg32087 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2007-05-20 20:40 
It's less than a ton (how do I weight source code? *g*) but it's used in some modules. Personally I don't like the usage of exec/execfile and I'm always worried when I see code that utilizes it. I've created a patch that checks typename and field_names for non alphanumeric characters.

Bastion.py:    exec testcode
bdb.py:                exec cmd in globals, locals
cgi.py:            exec "testing print_exception() -- <I>italics?</I>"
code.py:            exec code in self.locals
collections.py:    exec template in m
cProfile.py:            exec cmd in globals, locals
doctest.py:                exec compile(example.source, filename, "single",
hashlib.py:            exec funcName + ' = f'
hashlib.py:                exec funcName + ' = __get_builtin_constructor(funcName)'
ihooks.py:            exec code in m.__dict__
imputil.py:                exec code in module.__dict__
pdb.py:            exec code in globals, locals
profile.py:            exec cmd in globals, locals
rexec.py:        exec TEMPLATE % (m, m)
rexec.py:        exec code in m.__dict__
runpy.py:    exec code in run_globals
site.py:                exec line
socket.py:        exec _s % (_m, _m, _m, _m)
timeit.py:            exec code in globals(), ns
timeit.py:                    exec _setup in globals(), ns
trace.py:            exec cmd in dict, dict
trace.py:            exec cmd in globals, locals


File Added: NamedTuple_55472.diff
msg32088 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2007-05-21 05:39 
Will replace the assertion with something that always executes.
msg32089 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2007-05-21 08:25 
Fixed.  See revision:   55487
msg32090 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2007-05-21 09:25 
You forgot two things:

 * check for isalnum() instead of isalpha() to allow numbers in type and field names. The current check disallows Point = NamedTuple('Point3', 'x1 x2 x3')
 * add unit tests to verify that a value error is raised
msg32091 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2007-05-21 16:49 
Fixed.
History
Date User Action Args
2022-04-11 14:56:24adminsetgithub: 44980
2007-05-20 18:00:35christian.heimescreate