Guido van Rossum wrote: > Thanks Amaury! Do you think it would be sufficient to change the > PyString_Check() call in PyEval_EvalCodeEx into a > PyString_CheckExact() call?
This would prevent this "attack", but would remain fragile - future developments could allow execution of python code somewhere. > Or is the proper fix to incref the values > going into the kw array and decref them upon exit? Yet Another Kind Of Tuple... However this seems the correct thing to do. In addition, if we agree to restrict arguments names to str (and disallow subclasses), there are easy optimizations in PyEval_EvalCodeEx, somewhere around the "XXX slow" comment (!) -- Amaury Forgeot d'Arc _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
