Python'eval'用于列表反序列化的安全性 [英] Safety of Python 'eval' For List Deserialization
问题描述
在这种情况下是否会发生任何安全漏洞?
Are there any security exploits that could occur in this scenario:
eval(repr(unsanitized_user_input), {"__builtins__": None}, {"True":True, "False":False})
其中,unsanitized_user_input是str对象.该字符串是用户生成的,可能很讨厌.假设我们的网络框架没有让我们失败,那是一个来自Python内置插件的真正诚实的str实例.
where unsanitized_user_input is a str object. The string is user-generated and could be nasty. Assuming our web framework hasn't failed us, it's a real honest-to-god str instance from the Python builtins.
如果这样做很危险,我们可以对输入内容进行任何处理以使其安全吗?
If this is dangerous, can we do anything to the input to make it safe?
我们绝对不想要执行字符串中包含的任何内容.
We definitely don't want to execute anything contained in the string.
另请参阅:
- Funny blog post about eval safety
- Previous Question
- Blog: Fast deserialization in Python
(我认为)对这个问题而言并非必不可少的更大范围是,我们有成千上万个这样的环境:
The larger context which is (I believe) not essential to the question is that we have thousands of these:
repr([unsanitized_user_input_1,
unsanitized_user_input_2,
unsanitized_user_input_3,
unsanitized_user_input_4,
...])
在某些情况下是嵌套的:
in some cases nested:
repr([[unsanitized_user_input_1,
unsanitized_user_input_2],
[unsanitized_user_input_3,
unsanitized_user_input_4],
...])
本身会通过repr()转换为字符串,放入持久存储中,并最终通过eval读回内存.
which are themselves converted to strings with repr(), put in persistent storage, and eventually read back into memory with eval.
Eval将序列化的持久化存储中的字符串反序列化的速度比pickle和simplejson要快得多.解释器是Python 2.5,因此json和ast不可用.不允许使用C模块,也不允许使用cPickle.
Eval deserialized the strings from persistent storage much faster than pickle and simplejson. The interpreter is Python 2.5 so json and ast aren't available. No C modules are allowed and cPickle is not allowed.
推荐答案
确实很危险,最安全的替代方法是ast.literal_eval(请参见
It is indeed dangerous and the safest alternative is ast.literal_eval (see the ast module in the standard library). You can of course build and alter an ast to provide e.g. evaluation of variables and the like before you eval the resulting AST (when it's down to literals).
对eval的可能利用始于它可以使用的任何对象(在这里说True),并通过.__ class_到达其类型对象,依此类推,直到object,然后获取其子类. ..基本上,它可以到达任何对象类型并破坏.我可以更具体一些,但我不希望在公共论坛上使用它(该漏洞众所周知,但是考虑到仍然有很多人忽略它,向脚本小子透露它可能会使情况变得更糟……请避免使用
The possible exploit of eval starts with any object it can get its hands on (say True here) and going via .__class_ to its type object, etc. up to object, then gets its subclasses... basically it can get to ANY object type and wreck havoc. I can be more specific but I'd rather not do it in a public forum (the exploit is well known, but considering how many people still ignore it, revealing it to wannabe script kiddies could make things worse... just avoid eval on unsanitized user input and live happily ever after!-).
这篇关于Python'eval'用于列表反序列化的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
