Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
python-reportlab
CVE-2023-33733-code-injection.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-33733-code-injection.patch of Package python-reportlab
--- src/reportlab/lib/colors.py | 51 +++++++++++++++++++++++++++----------- src/reportlab/lib/rl_safe_eval.py | 4 ++ tests/test_lib_rl_safe_eval.py | 2 - 3 files changed, 41 insertions(+), 16 deletions(-) --- a/src/reportlab/lib/colors.py +++ b/src/reportlab/lib/colors.py @@ -859,20 +859,43 @@ class toColor: C = getAllNamedColors() s = arg.lower() if s in C: return C[s] - G = C.copy() - G.update(self.extraColorsNS) - if not self._G: - C = globals() - self._G = {s:C[s] for s in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter - _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK - _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance - cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb isStr linearlyInterpolatedColor - literal_eval obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()} - G.update(self._G) - try: - return toColor(rl_safe_eval(arg, g=G, l={})) - except: - pass + if True: #*TODO* replace with rl_config option + G = C.copy() + G.update(self.extraColorsNS) + if not self._G: + C = globals() + self._G = {s:C[s] for s in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter + _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK + _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance + cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb isStr linearlyInterpolatedColor + literal_eval obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()} + G.update(self._G) + try: + import ast + try: + return toColor(ast.literal_eval(arg)) + except: + ################################################################################## + import re + allowedColorClasses = '''Color CMYKColor PCMYKColor CMYKColorSep PCMYKColorSep''' + def get_class_instance(class_string): + pattern = r'^(\w+)\((.*)\)$' + match = re.match(pattern, class_string) + if match: + class_name = match.group(1) + args_str = match.group(2) + args = [int(x) if x.isdigit() else x for x in args_str.split(',')] + if class_name in allowedColorClasses: + class_obj = globals().get(class_name) + instance = class_obj(*args) + return instance + raise ValueError('Invalid color object %r' % (class_name)) + ################################################################################### + inst = get_class_instance(arg) + if inst is not None: + return inst + except: + pass try: return HexColor(arg) --- a/src/reportlab/lib/rl_safe_eval.py +++ b/src/reportlab/lib/rl_safe_eval.py @@ -60,7 +60,9 @@ __rl_unsafe__ = frozenset('''builtins br func_doc func_globals func_name gi_code gi_frame gi_running gi_yieldfrom __globals__ im_class im_func im_self __iter__ __kwdefaults__ __module__ __name__ next __qualname__ __self__ tb_frame tb_lasti tb_lineno tb_next - globals vars locals'''.split() + globals vars locals + type eval exec aiter anext classmethod compile dir open + dir print classmethod staticmethod __import__ super property'''.split() ) __rl_unsafe_re__ = re.compile(r'\b(?:%s)' % '|'.join(__rl_unsafe__),re.M) --- a/tests/test_lib_rl_safe_eval.py +++ b/tests/test_lib_rl_safe_eval.py @@ -52,7 +52,6 @@ class SafeEvalTestSequenceMeta(type): 'dict(a=1).get("a",2)', 'dict(a=1).pop("a",2)', '{"_":1+_ for _ in (1,2)}.pop(1,None)', - '(type(1),type(str),type(testObj),type(TestClass))', '1 if True else "a"', '1 if False else "a"', 'testFunc(bad=False)', @@ -77,6 +76,7 @@ class SafeEvalTestSequenceMeta(type): ( 'fail', ( + '(type(1),type(str),type(testObj),type(TestClass))', 'open("/tmp/myfile")', None if isPy3 else 'file("/tmp/myfile")', 'SafeEvalTestCase.__module__',
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor