code execution backdoor

democritus-project / d8s-xml

Democritus functions for working with XML.

GNU Lesser General Public License v3.0

0 stars 0 forks source link

code execution backdoor #10

Closed di1l0o closed 2 years ago

di1l0o commented 2 years ago

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-strings package. Attackers can upload democritus-strings packages containing arbitrary malicious code. For the safety of this project, the democritus-strings package has been uploaded by us.

The democritus-strings package can be successfully installed using pip install d8s-xml==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

fhightower commented 2 years ago

Thanks for raising this issue (and all of the similar ones) @di1l0o! I'll take a look.

I probably will not bother removing v0.1.0 from pypi as no one should be using that version, but I'll give it some thought.