Univention Bugzilla – Bug 31523
eval() → getattr()
Last modified: 2021-06-23 07:29:12 CEST
Created attachment 5241 [details] eval.patch The attached patch replaces the usage of eval(user_input) with getattr() which leads in case of the pkgdb module to the ability of executing code as root user. poc (untested): umc-command pkgdb/query -o "key=incomplete_packages(__import__('subprocess').call('touch /tmp/foo'))"
Good catch!
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
patch applied, things are still working as expected. univention-management-console-module-udm (4.0.0-1) univention-management-console-module-ucr (3.0.0-1) univention-pkgdb (7.0.1-1) (In reply to comment #0) > umc-command pkgdb/query -o > "key=incomplete_packages(__import__('subprocess').call('touch /tmp/foo'))" → umc-command pkgdb/query -o "key=incomplete_packages(__import__('subprocess').call(['touch', '/tmp/foo']))" Changelog created
QA: * changes OK * changelog OK
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".