[issue11133] inspect.getattr_static code execution
Daniel Urban urban.dani...@gmail.com added the comment: The new entry in Misc/NEWS says: Patch by Daniel Urban. But it wasn't me, who made the patch, I just opened the issue. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Roundup Robot devnull@devnull added the comment: New changeset 382cb3386d57 by Benjamin Peterson in branch '3.2': correct patch ack (#11133) http://hg.python.org/cpython/rev/382cb3386d57 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: Thanks Daniel (and sorry Andreas). Benjamin Peterson has fixed this. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Roundup Robot devnull@devnull added the comment: New changeset 8c7eac34f7bf by Michael Foord in branch '3.2': Closes issue 11133. Fixes two cases where inspect.getattr_static could trigger code execution http://hg.python.org/cpython/rev/8c7eac34f7bf -- nosy: +python-dev resolution: - fixed stage: - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: __dict__ as a property is documented as an exception to the no code execution claim. The patch is not sufficient - instances may have a class member __dict__ whilst still having an instance __dict__. Alternatively the __dict__ property may be provided by a base class and so not available in type(obj).__dict__ but still be provided by a property. I don't think there is any general way to tell whether fetching obj.__dict__ will get an instance dictionary or fetch a __dict__ member from the class or a base-class... (Hence the documented exception.) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Andreas Stührk andy-pyt...@hammerhartes.de added the comment: The patch is not sufficient - instances may have a class member __dict__ whilst still having an instance __dict__. Sure, but I don't think there is a way how you can access the instance __dict__ in that case inside Python code. At least I can't think of one. Alternatively the __dict__ property may be provided by a base class and so not available in type(obj).__dict__ but still be provided by a property. I don't think there is any general way to tell whether fetching obj.__dict__ will get an instance dictionary or fetch a __dict__ member from the class or a base-class... (Hence the documented exception.) Why not? ``obj.__dict__`` will fetch the instance dictionary iff there is no class attribute __dict__ in any of the base classes. In the patch,``type.__dict__[__dict__].__get__()`` is used to get (without any doubt) the class dictionary. By looking inside that dictionary, we can now tell whether __dict__ is overwritten: If it isn't overwritten, the dictionary either doesn't have a __dict__ entry at all or the value is a getset_descriptor. So we just need to iterate over a type's mro, look inside each entries' dictionary and stop when a __dict__ entry is found. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Florian Mayer florma...@aim.com added the comment: Apparently another way to get getattr_static to execute code in Python 2.3rc3 is simply the following. class Foo: ... @property ... def __dict__(self): ... print(Hello, World.) ... return {} ... import inspect inspect.getattr_static(Foo(), 'a') Hello, World. Traceback (most recent call last): File stdin, line 1, in module File /home/name/opt/lib/python3.2/inspect.py, line 1130, in getattr_static raise AttributeError(attr) AttributeError: a -- nosy: +segfaulthunter ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Andreas Stührk andy-pyt...@hammerhartes.de added the comment: Attached is a patch that fixes the issue: The dict methods are now used directly and before every access to an instance's __dict__ attribute, it is checked that that attribute is really the instance's attribute and not a class attribute of the instance's type. -- keywords: +patch nosy: +Trundle Added file: http://bugs.python.org/file20811/inspect_issue_11133.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
New submission from Daniel Urban urban.dani...@gmail.com: The documentation of getattr_static says: The only known case that can cause getattr_static to trigger code execution, and cause it to return incorrect results (or even break), is where a class uses __slots__ and provides a __dict__ member using a property or descriptor. If you find other cases please report them so they can be fixed or documented. I'd like to report another case: when an object's __dict__ is an instance of a dict subclass which overrides dict.get: _sentinel = object() class MyDict(dict): ... def get(self, key, default=_sentinel): ... print('Hello World!') # This code will execute ... if default is _sentinel: ... return super().get(key) ... else: ... return super().get(key, default) ... class X: ... def __init__(self): ... self.__dict__ = MyDict() ... x = X() inspect.getattr_static(x, 'foo', 0) Hello World! 0 (In line 1072. _check_instance calls MyDict.get: instance_dict.get(attr, _sentinel).) -- components: Library (Lib) messages: 128067 nosy: durban, michael.foord priority: normal severity: normal status: open title: inspect.getattr_static code execution versions: Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: The fix is to use dict methods rather than accessing members through the instance. It will have to wait until 3.2 is out now though. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Changes by Michael Foord mich...@voidspace.org.uk: -- assignee: - michael.foord ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com