What's New In Reportlab 3.6.13
released on 27/April/2023
Changes to ReportLab and ReportLabPLUS
- Security improvements for use of evaluations
- a few other small fixes
With thanks to Elyas Damej of https://cure53.de/, ReportLab were made aware of an exploit that we closed in this release.
eval is dangerous
eval is also really useful when you want to give your users a "little language" in a product. In our case this includes a function
src/reportlab/lib/colors.py, allowing many colour
operations and functions.
eval function in Python has been used in ways to exploit malicious input. So at various points, exploits arose and we wrapped it up in a function
rl_safe_eval.py which attempted to blacklist certain uses.
Elyas Damej of https://cure53.de/ contacted ReportLab in April 2023 detailing an undiscovered way to get malicious code exploited via
We have now rewritten
toColor to use Python's
ast.parse() and various helpers. So it can still parse Python syntax accurately, but the parse tree is processed explicitly to make sure that we using a limited subset of Python literals relating to constructing Color classes.
who might be affected
This exploit would only be possible if you allow hostile input to be passed into colors - for example if accepting the URL of an HTML page someone else had written, with a generic conversion routine.
If you really need the old functionality in
rl_settings.py as appropriate:
`toColorCanUse='rl_extended_literal_eval'|None|'rl_safe_eval'` # depending on trust
The default is to use the new custom evaluator.