View Issue Details

IDProjectCategoryView StatusLast Update
0003391ExpressionsBugpublic2020-02-27 05:56
Reportereivindkvedalen Assigned Torealthunder  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version0.17 
Summary0003391: Array and dictionary lookup does not work in expressions
DescriptionSee discussion on https://forum.freecadweb.org/viewtopic.php?f=3&t=26876#p214826
TagsNo tags attached.
FreeCAD Information

Activities

ezzieyguywuf

2019-12-03 04:29

developer   ~0013858

Is this a bug or a feature request?

As discussed in this post, it sounds like there is a true security bug related to this, but I don't fully understand how to reproduce the issue that results in the security vulnerability.

Can someone provide a step-by-step to reproduce the fix posted by triplus here, and describe how this leads to the security issue mentioned by elvind?

Kunda1

2020-02-23 19:53

administrator   ~0014178

@realthunder pardon, just wondering if your pending FreeCAD Pull Request 3062 addresses this ?

realthunder

2020-02-23 21:47

developer   ~0014179

Yes, the PR addressed this. And it shall have completion support for that. And no, there won't be any security concern as mentioned in the referenced post, because I have already modified Expression/ObjectIdentifier to not use the Python interpreter.

Kunda1

2020-02-23 23:03

administrator   ~0014180

Last edited: 2020-02-23 23:05

View 2 revisions

@realthunder wow, that's awesome news! There are other expression/spreadsheet issues here on the tracker. I wonder, and I want to be mindful of your time, if we can go through them and see if your PR also addresses them ?

Edit: If the PR does address and solve them, would it be possible to use the MantisBT wildcard triggers in the Git commit to remotely close said issues ?
See https://www.freecadweb.org/wiki/Tracker#GitHub_and_MantisBT

realthunder

2020-02-24 01:53

developer   ~0014182

I'll go through them when I get time. But some of them may be fixed already in upstream. I can't modify the commit message there. Would it be enough for me to just refer to the relevant commit in the issue comment?

realthunder

2020-02-27 05:56

developer   ~0014187

Extended indexing support is added with this commit in upstream.

Issue History

Date Modified Username Field Change
2018-03-24 10:28 eivindkvedalen New Issue
2018-03-24 10:28 eivindkvedalen Status new => assigned
2018-03-24 10:28 eivindkvedalen Assigned To => eivindkvedalen
2019-12-03 04:29 ezzieyguywuf Note Added: 0013858
2020-02-23 19:53 Kunda1 Note Added: 0014178
2020-02-23 21:47 realthunder Note Added: 0014179
2020-02-23 23:03 Kunda1 Note Added: 0014180
2020-02-23 23:03 Kunda1 Assigned To eivindkvedalen => realthunder
2020-02-23 23:05 Kunda1 Note Edited: 0014180 View Revisions
2020-02-24 01:53 realthunder Note Added: 0014182
2020-02-27 05:56 realthunder Note Added: 0014187