I reported it to <email address hidden>. To be honest though, I don't think it's going to look like a vulnerability to them. I have attached the poc that I sent them. It uses configparser to parse /dev/zero. Let's see what they say, but I think it's just going to be: "that's not a bug".
I also don't think we can blame configparser for following the symlink. I imagine it's quite common for config files to be symlinks to other locations.
I would recommend changing the code to use `read_file`, rather than `read`:
Hi Alex,
I reported it to <email address hidden>. To be honest though, I don't think it's going to look like a vulnerability to them. I have attached the poc that I sent them. It uses configparser to parse /dev/zero. Let's see what they say, but I think it's just going to be: "that's not a bug".
I also don't think we can blame configparser for following the symlink. I imagine it's quite common for config files to be symlinks to other locations.
I would recommend changing the code to use `read_file`, rather than `read`:
https:/ /docs.python. org/3/library/ configparser. html#configpars er.ConfigParser .read_file
That will enable you to do validation on the file before you pass it to configparser.
Thanks,
Kev