[issue11133] inspect.getattr_static code execution

2011-03-16 Thread Michael Foord 

Michael Foord  added the comment:

Thanks Daniel (and sorry Andreas). Benjamin Peterson has fixed this.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-03-16 Thread Roundup Robot 

Roundup Robot  added the comment:

New changeset 382cb3386d57 by Benjamin Peterson in branch '3.2':
correct patch ack (#11133)
http://hg.python.org/cpython/rev/382cb3386d57

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-03-16 Thread Daniel Urban 

Daniel Urban  added the comment:

The new entry in Misc/NEWS says: "Patch by Daniel Urban." But it wasn't me, who 
made the patch, I just opened the issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-03-15 Thread Roundup Robot 

Roundup Robot  added the comment:

New changeset 8c7eac34f7bf by Michael Foord in branch '3.2':
Closes issue 11133. Fixes two cases where inspect.getattr_static could trigger 
code execution
http://hg.python.org/cpython/rev/8c7eac34f7bf

--
nosy: +python-dev
resolution:  -> fixed
stage:  -> committed/rejected
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-21 Thread Andreas Stührk 

Andreas Stührk  added the comment:

Updated patch.

--
Added file: http://bugs.python.org/file20830/inspect_issue_11133_v2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-21 Thread Andreas Stührk 

Andreas Stührk  added the comment:

> The patch is not sufficient - instances may have a class member "__dict__" 
> whilst still having an instance __dict__.

Sure, but I don't think there is a way how you can access the instance
__dict__ in that case inside Python code. At least I can't think of
one.

>Alternatively the "__dict__" property may be provided by a base class and so 
>not available in "type(obj).__dict__" but still be provided by a property.
>
> I don't think there is any general way to tell whether fetching obj.__dict__ 
> will get an instance dictionary or fetch a "__dict__" member from the class 
> or a base-class... (Hence the documented exception.)

Why not? ``obj.__dict__`` will fetch the instance dictionary iff there
is no class attribute "__dict__" in any of the base classes. In the
patch,``type.__dict__["__dict__"].__get__()`` is used to get (without
any doubt) the class dictionary. By looking inside that dictionary, we
can now tell whether "__dict__" is overwritten: If it isn't
overwritten, the dictionary either doesn't have a "__dict__" entry at
all or the value is a getset_descriptor. So we just need to iterate
over a type's mro, look inside each entries' dictionary and stop when
a "__dict__" entry is found.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-21 Thread Michael Foord 

Michael Foord  added the comment:

__dict__ as a property is documented as an exception to the "no code execution" 
claim.

The patch is not sufficient - instances may have a class member "__dict__" 
whilst still having an instance __dict__. Alternatively the "__dict__" property 
may be provided by a base class and so not available in "type(obj).__dict__" 
but still be provided by a property.

I don't think there is any general way to tell whether fetching obj.__dict__ 
will get an instance dictionary or fetch a "__dict__" member from the class or 
a base-class... (Hence the documented exception.)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-20 Thread Andreas Stührk 

Andreas Stührk  added the comment:

Attached is a patch that fixes the issue: The dict methods are now used 
directly and before every access to an instance's "__dict__" attribute, it is 
checked that that attribute is really the instance's attribute and not a class 
attribute of the instance's type.

--
keywords: +patch
nosy: +Trundle
Added file: http://bugs.python.org/file20811/inspect_issue_11133.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-20 Thread Florian Mayer 

Florian Mayer  added the comment:

Apparently another way to get getattr_static to execute code in Python 2.3rc3 
is simply the following.

>>> class Foo:
... @property
... def __dict__(self):
... print("Hello, World.")
... return {}
... 
>>> import inspect
>>> inspect.getattr_static(Foo(), 'a')
Hello, World.
Traceback (most recent call last):
  File "", line 1, in 
  File "/home/name/opt/lib/python3.2/inspect.py", line 1130, in getattr_static
raise AttributeError(attr)
AttributeError: a
>>>

--
nosy: +segfaulthunter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-06 Thread Michael Foord 

Changes by Michael Foord :


--
assignee:  -> michael.foord

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-06 Thread Michael Foord 

Michael Foord  added the comment:

The fix is to use dict methods rather than accessing members through the 
instance. It will have to wait until 3.2 is out now though.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11133] inspect.getattr_static code execution

2011-02-06 Thread Daniel Urban 

New submission from Daniel Urban :

The documentation of getattr_static says:
"The only known case that can cause getattr_static to trigger code execution, 
and cause it to return incorrect results (or even break), is where a class uses 
__slots__ and provides a __dict__ member using a property or descriptor. If you 
find other cases please report them so they can be fixed or documented."

I'd like to report another case: when an object's __dict__ is an instance of a 
dict subclass which overrides dict.get:

>>> _sentinel = object()
>>> 
>>> class MyDict(dict):
... def get(self, key, default=_sentinel):
... print('Hello World!') # This code will execute
... if default is _sentinel:
... return super().get(key)
... else:
... return super().get(key, default)
... 
>>> class X:
... def __init__(self):
... self.__dict__ = MyDict()
... 
>>> x = X()
>>> inspect.getattr_static(x, 'foo', 0)
Hello World!
0
>>> 

(In line 1072. _check_instance calls MyDict.get: instance_dict.get(attr, 
_sentinel).)

--
components: Library (Lib)
messages: 128067
nosy: durban, michael.foord
priority: normal
severity: normal
status: open
title: inspect.getattr_static code execution
versions: Python 3.2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com