From: Markus Klotzbuecher <mk@mkio.de>
Date: Wed, 12 Feb 2020 19:46:44 +0000 (+0100)
Subject: moveconfig: replace unsafe eval with asteval
X-Git-Tag: v2020.04-rc3~2^2~2
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b3192f48c19c15d37ba69722b2846de4b73b27cd;p=oweals%2Fu-boot.git

moveconfig: replace unsafe eval with asteval

Commit b237d358b425 ("moveconfig: expand simple expressions") added
support for expanding expressions in configs, but used the unsafe python
built-in "eval". This patch fixes this by replacing eval with the
asteval module.

Signed-off-by: Markus Klotzbuecher <mk@mkio.de>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Joe Hershberger <joe.hershberger@ni.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---

diff --git a/tools/moveconfig.py b/tools/moveconfig.py
index 36160a3977..df20ec66af 100755
--- a/tools/moveconfig.py
+++ b/tools/moveconfig.py
@@ -295,6 +295,7 @@ To see the complete list of supported options, run
 
 """
 
+import asteval
 import collections
 import copy
 import difflib
@@ -808,10 +809,11 @@ def try_expand(line):
         return line
 
     try:
+        aeval = asteval.Interpreter( usersyms=SIZES, minimal=True )
         cfg, val = re.split("=", line)
         val= val.strip('\"')
         if re.search("[*+-/]|<<|SZ_+|\(([^\)]+)\)", val):
-            newval = hex(eval(val, SIZES))
+            newval = hex(aeval(val))
             print("\tExpanded expression %s to %s" % (val, newval))
             return cfg+'='+newval
     except: