-
Notifications
You must be signed in to change notification settings - Fork 106
Unsafe String interpretation if using eval() function
-
Affected Components : builtin, eval
-
Operating System : Linux, Windows
-
Python Versions : 2.6.x, 2.7.x
-
Reproducible : Yes
import sys
import os
try:
# Linux/Unix
eval("__import__('os').system('clear')", {})
# Windows
#eval("__import__('os').system(cls')", {})
print "Module OS loaded by eval"
except Exception as e:
print repr(e)To reproduce the problem copy the source code in a file and execute the script using the following command syntax:
$ python -OOBRtt test.pyAlternatively you can open python in interactive mode:
$ python -OOBRtt <press enter>Then copy the lines of code into the interpreter.
Execute the script in a terminal or console session and you should see a clear terminal window or interface with only one line at the top:
Module OS loaded by eval
In python the function eval executes a string but is not possible to any control to the operation.
Any malicious code will be executed without limits in the context of the user that loaded the interpreter.
This function is REALLY DANGEROUS if used to parse user input or strings from untrusted sources.
We are not aware on any easy solution other than trying to avoid using 'eval' in cases like the one examined.
[Python builtins][01] [01]:https://docs.python.org/2/library/functions.html#open
[Python sys module][02] [02]:https://docs.python.org/2/library/sys.html
Main site: pythonsecurity.org
OWASP Page: owasp.org/index.php/OWASP_Python_Security_Project