Change all eval() calls to ast.literal_eval()
- closes an exploit whereby an infected online MMGen installation could craft a special TX file to trick an offline signing MMGen into executing an arbitrary expression - update TX file format (to v3) to permit calling literal_eval() on unmodified inputs and outputs data (old v2 file format continues to be supported) - new TX file conversion script: `scripts/tx-v2-to-v3.py` - `scripts/tx-old2new.py` modified and renamed to `scripts/tx-v1-to-v3.py`
This commit is contained in:
MMGen
parent
f7e54cce93
commit
6b9df0ea44
GPG key ID:
62DBE9E5212F05BE
7 changed files with 105 additions and 42 deletions
|
|
@ -2421,7 +2421,8 @@ class MMGenTestSuite(object):
|
|||
|
||||
def regtest_get_mempool(self,name):
|
||||
t = MMGenExpect(name,'mmgen-regtest',['show_mempool'])
|
||||
return eval(t.read())
|
||||
from ast import literal_eval
|
||||
return literal_eval(t.read())
|
||||
|
||||
def regtest_get_mempool1(self,name):
|
||||
mp = self.regtest_get_mempool(name)
|
||||
|
|
@ -2681,10 +2682,10 @@ class MMGenTestSuite(object):
|
|||
with open(fn) as f:
|
||||
lines = f.read().splitlines()
|
||||
|
||||
from mmgen.obj import BTCAmt,LTCAmt,BCHAmt,B2XAmt
|
||||
tx = {}
|
||||
from ast import literal_eval
|
||||
for k,i in (('in',3),('out',4)):
|
||||
tx[k] = eval(lines[i])
|
||||
tx[k] = literal_eval(lines[i])
|
||||
tx[k+'_addrs'] = [i['addr'] for i in tx[k]]
|
||||
|
||||
psave = g.proto
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue