[issue29630] REPL tab-completion triggers code execution

Francisco Demartino added the comment: Serhiy, Chris, thank you for your additional comments. They surely helped me understand why my solution to this "problem?" isn't that good (also I slept on it a bit and maybe that helped). I still ponder for a way to get autocompletion while

[issue29630] REPL tab-completion triggers code execution

Christian Heimes added the comment: inspect.getattr_static *tries* to get attributes without triggering dunder methods. It's neither fully compatible to getattr() nor does it guarantee that no code is triggered. The function may or may not be secure. Surprise or not surprise is a matter of

[issue29630] REPL tab-completion triggers code execution

Serhiy Storchaka added the comment: It is less useful because don't work with dynamic attributes (with __getattar__ and __getattribute__). And if executing property getters is an issue (I don't think it is), this change doesn't fix it completely. --

[issue29630] REPL tab-completion triggers code execution

Francisco Demartino added the comment: > There is no way to safely inspect any Python object without triggering some > dunder functions like __getattr__, __getattribute__ or __dir__. But somehow inspect.getattr_static can do it? > Your change is not backwards compatible and makes

[issue29630] REPL tab-completion triggers code execution

Christian Heimes added the comment: Your change is not backwards compatible and makes auto-completion less useful. -- ___ Python tracker ___

[issue29630] REPL tab-completion triggers code execution

Francisco Demartino added the comment: I've updated that branch and made a pull request (https://github.com/python/cpython/pull/248) I think this is a good compromise: inspect.getattr_static can tell if it's a property, and in that case we don't call getattr on it to prevent code execution

[issue29630] REPL tab-completion triggers code execution

Changes by Francisco Demartino : -- pull_requests: +213 status: pending -> open ___ Python tracker ___

[issue29630] REPL tab-completion triggers code execution

Christian Heimes added the comment: I agree with Serhiy. There is no way to safely inspect any Python object without triggering some dunder functions like __getattr__, __getattribute__ or __dir__. -- nosy: +christian.heimes resolution: -> not a bug stage: -> resolved status: open ->

[issue29630] REPL tab-completion triggers code execution

Serhiy Storchaka added the comment: This is how Python works. Accessing an attribute (and even checking that the attribute exists) can trigger code executing. Changes in https://github.com/franciscod/cpython/tree/bpo-29630 break autocompliting of proxy objects. And in any case it triggers

[issue29630] REPL tab-completion triggers code execution

Francisco Demartino added the comment: This branch (working on the PR) fixes it: https://github.com/franciscod/cpython/tree/bpo-29630 -- ___ Python tracker

[issue29630] REPL tab-completion triggers code execution

Louie Lu added the comment: Could it be the problem from readline? Using python 2 with readline trigger same behavior. -- ___ Python tracker ___

[issue29630] REPL tab-completion triggers code execution

Louie Lu added the comment: I can reproduce the problem in Python 3.7. -- nosy: +louielu ___ Python tracker ___

[issue29630] REPL tab-completion triggers code execution

New submission from Francisco Demartino: On the REPL, when autocompleting with the TAB key, getattr is called, potentially triggering code execution. This took me by surprise. Until you press RETURN, it should be pretty safe to go around autocompleting with certainty that you won't run any