From 8833d44d014414c65e50879286bd728c4d8a3b43 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 20 Nov 2019 15:07:09 +0100
Subject: [PATCH] - Fix python examples/calc.py for eval, reported by X41
 D-Sec.

---
 doc/Changelog              | 1 +
 pythonmod/examples/calc.py | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index a92870553..7408e8371 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -38,6 +38,7 @@
 	- Fix NULL Pointer Dereference via Control Port,
 	  reported by X41 D-Sec.
 	- Fix Bad Randomness in Seed, reported by X41 D-Sec.
+	- Fix python examples/calc.py for eval, reported by X41 D-Sec.
 
 19 November 2019: Wouter
 	- Fix CVE-2019-18934, shell execution in ipsecmod.
diff --git a/pythonmod/examples/calc.py b/pythonmod/examples/calc.py
index 3230e37e3..8c15f50b9 100644
--- a/pythonmod/examples/calc.py
+++ b/pythonmod/examples/calc.py
@@ -45,9 +45,13 @@ def operate(id, event, qstate, qdata):
 
     if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
 
-        if qstate.qinfo.qname_str.endswith("._calc_.cz."):
+        if qstate.qinfo.qname_str.endswith("._calc_.cz.") and not ("__" in qstate.qinfo.qname_str):
             try:
-                res = eval(''.join(qstate.qinfo.qname_list[0:-3]))
+                # the second and third argument to eval attempt to restrict
+                # functions and variables available to stop code execution
+                # but it may not be safe either.  This is why __ substrings
+                # are excluded from evaluation.
+                res = eval(''.join(qstate.qinfo.qname_list[0:-3]),{"__builtins__":None},{})
             except:
                 res = "exception"
 
-- 
2.47.3