[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Michael Foord]

Changes by Michael Foord :


--
resolution:  -> invalid
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Daniel Urban]

Changes by Daniel Urban :


--
nosy: +durban

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Éric Araujo]

Éric Araujo  added the comment:

I shot too fast, you were right.  The mapping returned by __prepare__ is used 
during class creation, but __dict__ on the instance is a basic dict afterwards 
(not sure the doc is clear, I tested it in a shell).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Éric Araujo]

Éric Araujo  added the comment:

Andreas:  metaclass.__prepare__ can return any mapping object.  See 
http://docs.python.org/dev/reference/datamodel#customizing-class-creation

--
nosy: +eric.araujo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Andreas Stührk]

Andreas Stührk  added the comment:

Can you perhaps elaborate on the first part? I really can't see right now how a 
class __dict__ can be something different from a dictionary. It's true that the 
class dict can be any mapping while the class is being created, but that's 
uninteresting for getattr_static as there is no class object yet that one can 
pass to getattr_static.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Andreas Stührk]

Changes by Andreas Stührk :


--
nosy: +Trundle

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[ysj.ray]

Changes by ysj.ray :


--
nosy: +ysj.ray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11764] inspect.getattr_static code execution w/ class body as non dict

[Michael Foord]

New submission from Michael Foord :

In Python 3 a metclass can create a class __dict__ that is not a true 
dictionary. This can trigger code execution when accessing __dict__ members. 
getattr_static should not access them directly but do so using dict methods 
directly for dict subclasses and skipping classes that have non-dicts for 
__dict__.

The documentation should mention explicitly that the "no code execution" 
feature of this function is *not* a security feature and should not be relied 
on for security purposes.

--
assignee: michael.foord
components: Library (Lib)
messages: 132967
nosy: michael.foord
priority: normal
severity: normal
stage: test needed
status: open
title: inspect.getattr_static code execution w/ class body as non dict
versions: Python 3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com