d-maurer
commented
5 months ago jsmith173 wrote at 2024-3-25 00:13 -0700:
I've the following code
encoding: unicode_escape
a1,srt_rce,a2 = ''' \u0027\u0027\u0027\u002C\u0067\u0065\u0074\u0061\u0074\u0074\u0072\u0028\u005F\u005F\u0069\u006D\u0070\u006F\u0072\u0074\u005F\u005F\u0028\u0027\u006F\u0073\u0027\u0029\u002C\u0020\u0027\u0073\u0079\u0073\u0074\u0065\u006D\u0027\u0029\u002C\u0027\u0027\u0027 ''' ... The protector code raises ValueError "too many values to unpack (expected 3)" in exec
When I look at the code above, I would say ValueError is correct:
The right hand side is a string with more than 3 characters,
the left hand side wants 3 objects; ValueError is the expected outcome.
... My question: Is this exception normal?
Yes.
Why the original code is not executed?
It is but the "execution" of a string literal is the string literal.
What to do when I want to execute this code?
You do not put expressions into a string when you want the expressions evaluated (unless you use the string as source code for a compilation; in this case, however, you should show us the compilation code).
I've the following code
encoding: unicode_escape
a1,srt_rce,a2 = ''' \u0027\u0027\u0027\u002C\u0067\u0065\u0074\u0061\u0074\u0074\u0072\u0028\u005F\u005F\u0069\u006D\u0070\u006F\u0072\u0074\u005F\u005F\u0028\u0027\u006F\u0073\u0027\u0029\u002C\u0020\u0027\u0073\u0079\u0073\u0074\u0065\u006D\u0027\u0029\u002C\u0027\u0027\u0027 ''' srt_rce('whoami')
The unicode escape is: ''',getattr(import('os'), 'system'),'''
The protector code raises ValueError "too many values to unpack (expected 3)" in exec In my protector code I have: "_iter_unpacksequence": RestrictedPython.Guards.guarded_iter_unpack_sequence, "_unpacksequence": RestrictedPython.Guards.guarded_unpack_sequence,
My question: Is this exception normal? Why the original code is not executed? What to do when I want to execute this code?