mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
11 lines
345 B
Python
11 lines
345 B
Python
# Unsafe: jinja2 Environment.compile_expression accepts an arbitrary
|
|
# expression source; tainted input compiles into an executable callable.
|
|
from jinja2 import Environment
|
|
from flask import request
|
|
|
|
|
|
def handler():
|
|
env = Environment()
|
|
expr_src = request.form["expr"]
|
|
expr = env.compile_expression(expr_src)
|
|
return str(expr({}))
|