- Fix python examples/calc.py for eval, reported by X41 D-Sec.

diff --git a/doc/Changelog b/doc/Changelog
index a9287055321ba3fc31d5070635405c2c607a54f8..7408e8371b6e95bcd6286e0fc988e8f3ab420995 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -38,6 +38,7 @@
        - Fix NULL Pointer Dereference via Control Port,
          reported by X41 D-Sec.
        - Fix Bad Randomness in Seed, reported by X41 D-Sec.
+       - Fix python examples/calc.py for eval, reported by X41 D-Sec.
 
 19 November 2019: Wouter
        - Fix CVE-2019-18934, shell execution in ipsecmod.

diff --git a/pythonmod/examples/calc.py b/pythonmod/examples/calc.py
index 3230e37e3eea685b998ccde621682362252287f0..8c15f50b9d75c38317bc8ee8cbf47fddebc08e1a 100644 (file)
--- a/pythonmod/examples/calc.py
+++ b/pythonmod/examples/calc.py
@@ -45,9 +45,13 @@ def operate(id, event, qstate, qdata):
 
     if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
 
-        if qstate.qinfo.qname_str.endswith("._calc_.cz."):
+        if qstate.qinfo.qname_str.endswith("._calc_.cz.") and not ("__" in qstate.qinfo.qname_str):
             try:
-                res = eval(''.join(qstate.qinfo.qname_list[0:-3]))
+                # the second and third argument to eval attempt to restrict
+                # functions and variables available to stop code execution
+                # but it may not be safe either.  This is why __ substrings
+                # are excluded from evaluation.
+                res = eval(''.join(qstate.qinfo.qname_list[0:-3]),{"__builtins__":None},{})
             except:
                 res = "exception"