Skip to content

What's New In Reportlab 3.6.13

released on 27/April/2023

Changes to ReportLab and ReportLabPLUS

  • Security improvements for use of evaluations
  • a few other small fixes

With thanks to Elyas Damej of https://cure53.de/, ReportLab were made aware of an exploit that we closed in this release.

Backround: eval is dangerous

eval is also really useful when you want to give your users a "little language" in a product. In our case this includes a function toColor in src/reportlab/lib/colors.py, allowing many colour operations and functions.

Historically, the eval function in Python has been used in ways to exploit malicious input. So at various points, exploits arose and we wrapped it up in a function rl_safe_eval.py which attempted to blacklist certain uses.

latest concern

Elyas Damej of https://cure53.de/ contacted ReportLab in April 2023 detailing an undiscovered way to get malicious code exploited via toColor.

the fix

We have now rewritten toColor to use Python's ast.parse() and various helpers. So it can still parse Python syntax accurately, but the parse tree is processed explicitly to make sure that we using a limited subset of Python literals relating to constructing Color classes.

who might be affected

This exploit would only be possible if you allow hostile input to be passed into colors - for example if accepting the URL of an HTML page someone else had written, with a generic conversion routine.

If you really need the old functionality in toColoredit rl_settings.py as appropriate:

    `toColorCanUse='rl_extended_literal_eval'|None|'rl_safe_eval'`   # depending on trust

The default is to use the new custom evaluator.