Daniel Urban urban.dani...@gmail.com added the comment:
The new entry in Misc/NEWS says: Patch by Daniel Urban. But it wasn't me, who
made the patch, I just opened the issue.
--
___
Python tracker rep...@bugs.python.org
Roundup Robot devnull@devnull added the comment:
New changeset 382cb3386d57 by Benjamin Peterson in branch '3.2':
correct patch ack (#11133)
http://hg.python.org/cpython/rev/382cb3386d57
--
___
Python tracker rep...@bugs.python.org
Michael Foord mich...@voidspace.org.uk added the comment:
Thanks Daniel (and sorry Andreas). Benjamin Peterson has fixed this.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11133
___
Roundup Robot devnull@devnull added the comment:
New changeset 8c7eac34f7bf by Michael Foord in branch '3.2':
Closes issue 11133. Fixes two cases where inspect.getattr_static could trigger
code execution
http://hg.python.org/cpython/rev/8c7eac34f7bf
--
nosy: +python-dev
resolution: -
Michael Foord mich...@voidspace.org.uk added the comment:
__dict__ as a property is documented as an exception to the no code execution
claim.
The patch is not sufficient - instances may have a class member __dict__
whilst still having an instance __dict__. Alternatively the __dict__ property
Andreas Stührk andy-pyt...@hammerhartes.de added the comment:
The patch is not sufficient - instances may have a class member __dict__
whilst still having an instance __dict__.
Sure, but I don't think there is a way how you can access the instance
__dict__ in that case inside Python code. At
Florian Mayer florma...@aim.com added the comment:
Apparently another way to get getattr_static to execute code in Python 2.3rc3
is simply the following.
class Foo:
... @property
... def __dict__(self):
... print(Hello, World.)
... return {}
...
import inspect
Andreas Stührk andy-pyt...@hammerhartes.de added the comment:
Attached is a patch that fixes the issue: The dict methods are now used
directly and before every access to an instance's __dict__ attribute, it is
checked that that attribute is really the instance's attribute and not a class
New submission from Daniel Urban urban.dani...@gmail.com:
The documentation of getattr_static says:
The only known case that can cause getattr_static to trigger code execution,
and cause it to return incorrect results (or even break), is where a class uses
__slots__ and provides a __dict__
Michael Foord mich...@voidspace.org.uk added the comment:
The fix is to use dict methods rather than accessing members through the
instance. It will have to wait until 3.2 is out now though.
--
___
Python tracker rep...@bugs.python.org
Changes by Michael Foord mich...@voidspace.org.uk:
--
assignee: - michael.foord
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11133
___
___
11 matches
Mail list logo
