From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 20 Nov 2019 14:07:09 +0000 (+0100)
Subject: - Fix python examples/calc.py for eval, reported by X41 D-Sec.
X-Git-Tag: release-1.9.6rc1~32
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8833d44d014414c65e50879286bd728c4d8a3b43;p=thirdparty%2Funbound.git

- Fix python examples/calc.py for eval, reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index a92870553..7408e8371 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -38,6 +38,7 @@
 	- Fix NULL Pointer Dereference via Control Port,
 	  reported by X41 D-Sec.
 	- Fix Bad Randomness in Seed, reported by X41 D-Sec.
+	- Fix python examples/calc.py for eval, reported by X41 D-Sec.
 
 19 November 2019: Wouter
 	- Fix CVE-2019-18934, shell execution in ipsecmod.
diff --git a/pythonmod/examples/calc.py b/pythonmod/examples/calc.py
index 3230e37e3..8c15f50b9 100644
--- a/pythonmod/examples/calc.py
+++ b/pythonmod/examples/calc.py
@@ -45,9 +45,13 @@ def operate(id, event, qstate, qdata):
 
     if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
 
-        if qstate.qinfo.qname_str.endswith("._calc_.cz."):
+        if qstate.qinfo.qname_str.endswith("._calc_.cz.") and not ("__" in qstate.qinfo.qname_str):
             try:
-                res = eval(''.join(qstate.qinfo.qname_list[0:-3]))
+                # the second and third argument to eval attempt to restrict
+                # functions and variables available to stop code execution
+                # but it may not be safe either.  This is why __ substrings
+                # are excluded from evaluation.
+                res = eval(''.join(qstate.qinfo.qname_list[0:-3]),{"__builtins__":None},{})
             except:
                 res = "exception"