Hey Armin,
On Mon, Mar 21, 2011 at 12:56 PM, Armin Ronacher <
[email protected]> wrote:
> Hi,
>
> On 2011-03-21 4:21 PM, Joshua Bronson wrote:
>
>> I suspected there was some good reason. Now I'm curious how you could
>> use the built-in dict to break something. :)
>>
>
As it turns out, **foo now has the same logic as dict(foo) so it already
> can be used to bypass the sandbox if someone is careful designing the
> classes. I might change the dict at that point, not yet decided.
>
When you say **foo now has the same logic as dict(foo), are you referring to
a language change in Python? A change in Jinja2? I tried to find the change
you were referring to but couldn't find it.
> The problem is that if an object has a .keys(), dict will use that to
> __getitem__ all values which bypasses environment.getitem which is normally
> used to do the lookups.
I tried to reproduce the exploit you describe:
@app.route('/test')
def test(**kw):
class Malicious(dict):
def __getitem__(self, name):
return 'pwned'
def keys():
return ['pwned']
return Template('{{ url_for("test", **view_args)
}}').render(url_for=url_for,
view_args=Malicious(),
)
But no pwnage. Am I doing it wrong?
Thanks for explaining!
Josh
--
You received this message because you are subscribed to the Google Groups
"pocoo-libs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pocoo-libs?hl=en.
