[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-06 Thread Serhiy Storchaka
Change by Serhiy Storchaka : -- resolution: -> not a bug stage: -> resolved status: open -> closed ___ Python tracker ___ ___ Pyth

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-03 Thread bigbigliang
bigbigliang added the comment: Thank you for your answer. I am a student and very interested in python. I want to continue digging for Python bugs, but I am not good at this area. I want to keep looking for loopholes. from:bigbigliang Christian Heimes 于2019年4月3日周三 下午5:33写道: > > Christian Hei

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-03 Thread bigbigliang
bigbigliang added the comment: > > Certainly. > > -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-03 Thread Christian Heimes
Christian Heimes added the comment: Could you please do us a favor and contact MITRE to get the CVE number revoked? Please CC secur...@python.org so we have a record of the emails. -- ___ Python tracker ___

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-02 Thread bigbigliang
bigbigliang added the comment: Yes, as you said. I think this problem can be closed. My initial idea was that if a user carefully constructs a vulnerability point, it may cause some danger, such as 'getattr(os,"system")("/bin/sh")'. So I have some ideas about whether it is necessary to filter it

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-02 Thread SilentGhost
SilentGhost added the comment: As another note, this seem to be a third "security" issue created in less then a week to the same template (others are 36260 and 36462). I hope it's some assignment due soon. -- nosy: +SilentGhost ___ Python tracker

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-02 Thread Josh Rosenberg
Josh Rosenberg added the comment: I'll note that, based on the title, I'm skeptical of the claim of a vulnerability. getattr is effectively *designed* to execute arbitrary code if called on an appropriate object (one where the class defines __getattribute__; defines __getattr__ without defin

[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr

2019-04-02 Thread STINNER Victor
Change by STINNER Victor : -- title: An arbitrary execution vulnerability exists in the built-in function getattr -> [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr ___ Python tracker