Hide Forgot
We have a couple of uses of the python function eval() in the pulp server. We need to remove this usage b/c it can allow arbitrary code execution. The 2 instances I see are in webservices/controllers/repositories.py and webservices/controllers/consumers.py. They are eval()'ing url query parameters, so we should probably fix this. There are also some uses in the client, which should probably also be fixed. Instead of using eval, we can just run the user input through json.loads before sending it to the server. Or, if the intent is to have the user specify python dict or json syntax on the command line, we could have a more friendly interface by using a command line option like: --option key:value
commit 333b1f6475b51eac9cc28795c966e37ab5e7ec74 Author: Sayli Karmarkar <skarmark> Date: Thu Dec 1 20:08:59 2011 -0800 Making pulp 'eval' free and updating repo list --note to accept a note in key:value format instead of dictionary
build: 0.254.
verified [root@preethi ~]# rpm -q pulp pulp-0.0.254-4.fc15.noarch [root@preethi ~]# pulp-admin -u admin -p admin repo add_note --id=test --key=test --value=test Successfully added key-value pair test:test
Pulp v1.0 is released Closed Current Release.