[issue11133] inspect.getattr_static code execution
Daniel Urban urban.dani...@gmail.com added the comment: The new entry in Misc/NEWS says: Patch by Daniel Urban. But it wasn't me, who made the patch, I just opened the issue. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Roundup Robot devnull@devnull added the comment: New changeset 382cb3386d57 by Benjamin Peterson in branch '3.2': correct patch ack (#11133) http://hg.python.org/cpython/rev/382cb3386d57 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: Thanks Daniel (and sorry Andreas). Benjamin Peterson has fixed this. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Roundup Robot devnull@devnull added the comment: New changeset 8c7eac34f7bf by Michael Foord in branch '3.2': Closes issue 11133. Fixes two cases where inspect.getattr_static could trigger code execution http://hg.python.org/cpython/rev/8c7eac34f7bf -- nosy: +python-dev resolution: - fixed stage: - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: __dict__ as a property is documented as an exception to the no code execution claim. The patch is not sufficient - instances may have a class member __dict__ whilst still having an instance __dict__. Alternatively the __dict__ property may be provided by a base class and so not available in type(obj).__dict__ but still be provided by a property. I don't think there is any general way to tell whether fetching obj.__dict__ will get an instance dictionary or fetch a __dict__ member from the class or a base-class... (Hence the documented exception.) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Andreas Stührk andy-pyt...@hammerhartes.de added the comment: The patch is not sufficient - instances may have a class member __dict__ whilst still having an instance __dict__. Sure, but I don't think there is a way how you can access the instance __dict__ in that case inside Python code. At least I can't think of one. Alternatively the __dict__ property may be provided by a base class and so not available in type(obj).__dict__ but still be provided by a property. I don't think there is any general way to tell whether fetching obj.__dict__ will get an instance dictionary or fetch a __dict__ member from the class or a base-class... (Hence the documented exception.) Why not? ``obj.__dict__`` will fetch the instance dictionary iff there is no class attribute __dict__ in any of the base classes. In the patch,``type.__dict__[__dict__].__get__()`` is used to get (without any doubt) the class dictionary. By looking inside that dictionary, we can now tell whether __dict__ is overwritten: If it isn't overwritten, the dictionary either doesn't have a __dict__ entry at all or the value is a getset_descriptor. So we just need to iterate over a type's mro, look inside each entries' dictionary and stop when a __dict__ entry is found. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Florian Mayer florma...@aim.com added the comment:
Apparently another way to get getattr_static to execute code in Python 2.3rc3
is simply the following.
class Foo:
... @property
... def __dict__(self):
... print(Hello, World.)
... return {}
...
import inspect
inspect.getattr_static(Foo(), 'a')
Hello, World.
Traceback (most recent call last):
File stdin, line 1, in module
File /home/name/opt/lib/python3.2/inspect.py, line 1130, in getattr_static
raise AttributeError(attr)
AttributeError: a
--
nosy: +segfaulthunter
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11133
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Andreas Stührk andy-pyt...@hammerhartes.de added the comment: Attached is a patch that fixes the issue: The dict methods are now used directly and before every access to an instance's __dict__ attribute, it is checked that that attribute is really the instance's attribute and not a class attribute of the instance's type. -- keywords: +patch nosy: +Trundle Added file: http://bugs.python.org/file20811/inspect_issue_11133.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
New submission from Daniel Urban urban.dani...@gmail.com:
The documentation of getattr_static says:
The only known case that can cause getattr_static to trigger code execution,
and cause it to return incorrect results (or even break), is where a class uses
__slots__ and provides a __dict__ member using a property or descriptor. If you
find other cases please report them so they can be fixed or documented.
I'd like to report another case: when an object's __dict__ is an instance of a
dict subclass which overrides dict.get:
_sentinel = object()
class MyDict(dict):
... def get(self, key, default=_sentinel):
... print('Hello World!') # This code will execute
... if default is _sentinel:
... return super().get(key)
... else:
... return super().get(key, default)
...
class X:
... def __init__(self):
... self.__dict__ = MyDict()
...
x = X()
inspect.getattr_static(x, 'foo', 0)
Hello World!
0
(In line 1072. _check_instance calls MyDict.get: instance_dict.get(attr,
_sentinel).)
--
components: Library (Lib)
messages: 128067
nosy: durban, michael.foord
priority: normal
severity: normal
status: open
title: inspect.getattr_static code execution
versions: Python 3.2
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11133
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Michael Foord mich...@voidspace.org.uk added the comment: The fix is to use dict methods rather than accessing members through the instance. It will have to wait until 3.2 is out now though. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11133] inspect.getattr_static code execution
Changes by Michael Foord mich...@voidspace.org.uk: -- assignee: - michael.foord ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11133 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
