Amaury Forgeot d'Arc <amaur...@gmail.com> added the comment: I carefully looked at all places that store ->ob_type or Py_TYPE() in a local variable, and I could not find any exploit. Most places don't reuse the type once the method or the slot has been called.
Two places were harder to analyze: subtype_clear (but an attack would use __del__, and use a reference cycle: subtype_clear is never called in this case) and PyObject_Generic(Get|Set)Attr (the only escape path to python code could be through PyType_Ready; but it has already been called for heap types) _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue5283> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
