New submission from Daniel Urban <[email protected]>:
The documentation of getattr_static says:
"The only known case that can cause getattr_static to trigger code execution,
and cause it to return incorrect results (or even break), is where a class uses
__slots__ and provides a __dict__ member using a property or descriptor. If you
find other cases please report them so they can be fixed or documented."
I'd like to report another case: when an object's __dict__ is an instance of a
dict subclass which overrides dict.get:
>>> _sentinel = object()
>>>
>>> class MyDict(dict):
... def get(self, key, default=_sentinel):
... print('Hello World!') # This code will execute
... if default is _sentinel:
... return super().get(key)
... else:
... return super().get(key, default)
...
>>> class X:
... def __init__(self):
... self.__dict__ = MyDict()
...
>>> x = X()
>>> inspect.getattr_static(x, 'foo', 0)
Hello World!
0
>>>
(In line 1072. _check_instance calls MyDict.get: instance_dict.get(attr,
_sentinel).)
----------
components: Library (Lib)
messages: 128067
nosy: durban, michael.foord
priority: normal
severity: normal
status: open
title: inspect.getattr_static code execution
versions: Python 3.2
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue11133>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
