-
Notifications
You must be signed in to change notification settings - Fork 175
math eval vulnerability
Since the earliest versions of Supybot, the Math plugin ("FunCommands" until 2003) ships three commands named "calc", "icalc", and "rpn", that compute math expressions.
As a fork of Supybot, Limnoria inherited these commands.
These three commands are based on the eval() function of Python, and heavily sanitize their input to try to prevent abuse. Everyone knows this is a bad idea, but it seemed good-enough so no one noticed.
On 2019-11-09 I have been made aware that someone finally found a trick to bypass this sanitization, and have confirmed it can be used to read internal data and to cause a denial of service (bot gets stuck in an eval loop for a long time). It might also be possible to use it to execute arbitrary code, but I did not find a way to do it.
On 2019-11-09, I reimplemented these commands with a proper hand-written evaluator, implemented as a Visitor on the result of ast.parse.
Therefore, the vulnerability is now fixed in Limnoria by 3848ae78de45b35c029cc333963d436b9d2f0a35, released in version 2019.11.09 (published on 2019-11-09).
As Supybot is no longer updated, it will not receive a security fix.