mirror of
https://github.com/licsber/micropython.git
synced 2024-09-20 09:00:23 +08:00
60cf2c0959
Prior to this commit, pyboard.py used eval() to "parse" file data received from the board. Using eval() on received data from a device is dangerous, because a malicious device may inject arbitrary code execution on the PC that is doing the operation. Consider the following scenario: Eve may write a malicious script to Bob's board in his absence. On return Bob notices that something is wrong with the board, because it doesn't work as expected anymore. He wants to read out boot.py (or any other file) to see what is wrong. What he gets is a remote code execution on his PC. Proof of concept: Eve: $ cat boot.py _print = print print = lambda *x, **y: _print("os.system('ls /; echo Pwned!')", end="\r\n\x04") $ ./pyboard.py -f cp boot.py : cp boot.py :boot.py Bob: $ ./pyboard.py -f cp :boot.py /tmp/foo cp :boot.py /tmp/foo bin chroot dev home lib32 media opt root sbin sys usr boot config etc lib lib64 mnt proc run srv tmp var Pwned! There's also the possibility that the device is malfunctioning and sends random and possibly dangerous data back to the PC, to be eval'd. Fix this problem by using ast.literal_eval() to parse the received bytes, instead of eval(). Signed-off-by: Michael Buesch <m@bues.ch> |
||
---|---|---|
.. | ||
.gitattributes | ||
.gitignore | ||
bootstrap_upip.sh | ||
build-stm-latest.sh | ||
cc1 | ||
codeformat.py | ||
codestats.sh | ||
dfu.py | ||
file2h.py | ||
gen-changelog.sh | ||
gen-cpydiff.py | ||
gendoc.py | ||
insert-usb-ids.py | ||
make-frozen.py | ||
makemanifest.py | ||
metrics.py | ||
mpy_bin2res.py | ||
mpy_cross_all.py | ||
mpy_ld.py | ||
mpy-tool.py | ||
pyboard.py | ||
pydfu.py | ||
tinytest-codegen.py | ||
uf2conv.py | ||
uncrustify.cfg | ||
upip_utarfile.py | ||
upip.py |