Le Tuesday 24 February 2009 01:31:55 Victor Stinner, vous avez écrit : > (...) > But how can we get the closure if b.func_closure doesn't exist? Oh, wait! > What's this: b.__getattribute__... > ------------------------------------- > secret = get_cell_value(b.__getattribute__('func_closure')[0]) > ------------------------------------- > (...)
Before this exploit, I tried to rewrite get_cell_value() to avoid reading func_xxx ... but it does work, I always need the closure data to get the secret. Anyway, I think that creating executing arbitrary Python bytecode have to be blocked! compile() have to be removed from __builtins__ Extract of my try to rewrite get_cell_value(): ------------------------------------ # get code class c = compile('1', '<string>', 'eval') code = c.__class__ # get function class def func(): pass function = type(func) function.__dict__.clear() # code(argcount, nlocals, stacksize, flags, codestring, constants, names, # varnames, filename, name, firstlineno, lnotab, freevars, cellvars) func_code=code(0, 0, 1, 19, '\x88\x00\x00S', (None,), tuple(), tuple(), '<string>', 'hack', 3, '\x00\x01', ('fileobj',), tuple()) closure = b.func_closure # FIXME: Get b closure!? newread = function(func_code, globals(), func_code.co_name, None, closure) fileobj = newread() ------------------------------------ I'm able to get the code class and so create arbitrary code object, that's bad! If the user is unable to create a code object (no more compile()) or to get the code of a function, it's fine. Note: The byteocode is the bytecode of b() in the following code: def a(): secret = 42 def b(): return secret return b() -- Victor Stinner aka haypo http://www.haypocalc.com/blog/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com