New submission from Ammar Askar <am...@ammaraskar.com>:
It is possible to access all the frame objects in the interpret without triggering any audit hooks through the use of exceptions. Namely, through the traceback's tb_frame property. Ordinarily one would trigger the "sys._current_frames" or "sys._getframe" event but this code path bypasses those. There is already precedent for raising events for certain sensitive properties such as `__code__` in funcobject. (through a "object.__getattr__" event) so perhaps this property should be protected in a similar way. This issue was recently demonstrated in a security competition: * https://github.com/hstocks/ctf_writeups/blob/master/2020/hxp/audited/README.md * https://github.com/fab1ano/hxp-ctf-20/blob/master/audited/README.md ---------- assignee: steve.dower components: Library (Lib) keywords: security_issue messages: 384143 nosy: ammar2, christian.heimes, steve.dower priority: normal severity: normal status: open title: Traceback objects allow accessing frame objects without triggering audit hooks type: security versions: Python 3.10, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42800> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
