report at bugs
Jul 24, 2012, 5:14 PM
Post #1 of 8
New submission from Graham Dumpleton <Graham.Dumpleton [at] gmail>:
[issue15445] Ability to do code injection via logging module configuration listener port.
This issue was raised first on security [at] python Guido responded that not sensitive enough to be kept to the list and that okay to log a bug report.
This issue may not warrant any action except perhaps an update to
documentation for the logging module to warn about it, but thought
that should raise it just in case someone felt it needed actual code
changes to be made to avoid the issue if possible.
The problem arises in the Python logging modules ability to create a
listener socket which can accept new configuration in the ini file
"""To send a configuration to the socket, read in the configuration
file and send it to the socket as a string of bytes preceded by a
four-byte length string packed in binary using struct.pack('>L',
This sounds innocuous and the documentation at that point doesn't warn
that you are opening yourself up to security problems in using it.
You get a hint of potential issues later if one reads later
documentation about the file format:
"""The class entry indicates the handler’s class (as determined by
eval() in the logging package’s namespace). The level is interpreted
as for loggers, and NOTSET is taken to mean ‘log everything’."""
There are other mentions about eval() in context of log level and args
for the handler class as well, but not sure that is used for log level
as it says.
The combination of the open listener port for configuration and that
processing of the configuration file uses eval(), means that one could
send a configuration file to the process containing:
class=os.system('echo security issue') or StreamHandler
and one could execute an arbitrary command as the user the process runs as.
The problem is tempered by the fact that someone has to enable the
feature, which is likely rare, but also because socket connections to
send new configuration will only be accepted from the same host
('localhost') and the host can not be overridden. So can only be taken
advantage of by someone (potentially a different user) on the same
host and not remotely at least.
The specific code in Python 3.2 is:
section = cp["handler_%s" % hand]
klass = section["class"]
fmt = section.get("formatter", "")
klass = eval(klass, vars(logging))
except (AttributeError, NameError):
klass = _resolve(klass)
args = section["args"]
args = eval(args, vars(logging))
h = klass(*args)
and older Python 2.X versions have similar code.
Although you could perhaps avoid need for eval for class lookup, can't
see that you could do that for args unless you restrict it to literal
values and use a more limited eval like parser.
At the minimum there probably should be a warning in the documentation about using the logging module configuration port on untrusted systems with shared users.
components: Library (Lib)
title: Ability to do code injection via logging module configuration listener port.
versions: Python 3.2
Python tracker <report [at] bugs>
Python-bugs-list mailing list