> Using "setattr" to set attributes, where the attribute string
> comes from an external source, can create a security hole. Remember
> that you can override functions on an object, for that object only,
> by setting an attribute. This offers the opportunity for an attack
> similar to SQL injection. Think about what this can do to a parser
> that has and calls a method "display" for each element:
>
> <element display='lambda x : subprocess.Popen("rm -r -f /")'>
>
> You are pwned.
Nope. You’d have to give setattr a function object, not a string.
Regards
_______________________________________________
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
