python-tqdm/CVE-2024-34062.patch

From b53348c73080b4edeb30b4823d1fa0d8d2c06721 Mon Sep 17 00:00:00 2001
From: Casper da Costa-Luis <tqdm@cdcl.ml>
Date: Wed, 1 May 2024 14:56:01 +0100
Subject: [PATCH] cli: eval safety

- fixes GHSA-g7vv-2v7x-gj9p
---
 tqdm/cli.py | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/tqdm/cli.py b/tqdm/cli.py
index 1223d4977..7284f28d5 100644
--- a/tqdm/cli.py
+++ b/tqdm/cli.py
@@ -21,23 +21,34 @@ def cast(val, typ):
                 return cast(val, t)
             except TqdmTypeError:
                 pass
-        raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(f"{val} : {typ}")
 
     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
     if typ == 'bool':
         if (val == 'True') or (val == ''):
             return True
-        elif val == 'False':
+        if val == 'False':
             return False
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
-    try:
-        return eval(typ + '("' + val + '")')
-    except Exception:
-        if typ == 'chr':
-            return chr(ord(eval('"' + val + '"'))).encode()
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(val + ' : ' + typ)
+    if typ == 'chr':
+        if len(val) == 1:
+            return val.encode()
+        if re.match(r"^\\\w+$", val):
+            return eval(f'"{val}"').encode()
+        raise TqdmTypeError(f"{val} : {typ}")
+    if typ == 'str':
+        return val
+    if typ == 'int':
+        try:
+            return int(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    if typ == 'float':
+        try:
+            return float(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    raise TqdmTypeError(f"{val} : {typ}")
 
 
 def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,
Fix CVE-2024-34062 (cherry picked from commit 51b41c10a2e4d10f56b4b0b5f319a092523a447e) 2024-05-06 09:21:45 +08:00			`From b53348c73080b4edeb30b4823d1fa0d8d2c06721 Mon Sep 17 00:00:00 2001`
			`From: Casper da Costa-Luis <tqdm@cdcl.ml>`
			`Date: Wed, 1 May 2024 14:56:01 +0100`
			`Subject: [PATCH] cli: eval safety`

			`- fixes GHSA-g7vv-2v7x-gj9p`
			`---`
			`tqdm/cli.py \| 33 ++++++++++++++++++++++-----------`
			`1 file changed, 22 insertions(+), 11 deletions(-)`

			`diff --git a/tqdm/cli.py b/tqdm/cli.py`
			`index 1223d4977..7284f28d5 100644`
			`--- a/tqdm/cli.py`
			`+++ b/tqdm/cli.py`
			`@@ -21,23 +21,34 @@ def cast(val, typ):`
			`return cast(val, t)`
			`except TqdmTypeError:`
			`pass`
			`- raise TqdmTypeError(val + ' : ' + typ)`
			`+ raise TqdmTypeError(f"{val} : {typ}")`

			# sys.stderr.write('\ndebug \| `val:type`: `' + val + ':' + typ + '`.\n')
			`if typ == 'bool':`
			`if (val == 'True') or (val == ''):`
			`return True`
			`- elif val == 'False':`
			`+ if val == 'False':`
			`return False`
			`- else:`
			`- raise TqdmTypeError(val + ' : ' + typ)`
			`- try:`
			`- return eval(typ + '("' + val + '")')`
			`- except Exception:`
			`- if typ == 'chr':`
			`- return chr(ord(eval('"' + val + '"'))).encode()`
			`- else:`
			`- raise TqdmTypeError(val + ' : ' + typ)`
			`+ raise TqdmTypeError(val + ' : ' + typ)`
			`+ if typ == 'chr':`
			`+ if len(val) == 1:`
			`+ return val.encode()`
			`+ if re.match(r"^\\\w+$", val):`
			`+ return eval(f'"{val}"').encode()`
			`+ raise TqdmTypeError(f"{val} : {typ}")`
			`+ if typ == 'str':`
			`+ return val`
			`+ if typ == 'int':`
			`+ try:`
			`+ return int(val)`
			`+ except ValueError as exc:`
			`+ raise TqdmTypeError(f"{val} : {typ}") from exc`
			`+ if typ == 'float':`
			`+ try:`
			`+ return float(val)`
			`+ except ValueError as exc:`
			`+ raise TqdmTypeError(f"{val} : {typ}") from exc`
			`+ raise TqdmTypeError(f"{val} : {typ}")`


			`def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,`